Network Security & Hardware - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Botnet Hunters Search for Command and Control Servers



 By: Ryan Naraine
2005-06-17
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


  Table of Contents:
  1. Botnet Hunters Search for Command and Control Servers
  2. ' Bot Armies '

Rate This Article:
Poor Best
Botnet Hunters Search for Command and Control Servers
( Page 1 of 2 )

Amid mounting evidence that the upsurge in virus activity is directly linked to the "botnets-for-hire" underworld, a group of high-profile security researchers bands together to identify and disable the drone zombies.Convinced that the recent upswing in virus and Trojan attacks is directly linked to the creation of botnets for nefarious purposes, a group of high-profile security researchers is fighting back, vigilante-style.

The objective of the group, which operates on closed, invite-only mailing lists, is to pinpoint and ultimately disable the C&C (command-and-control) infrastructure that sends instructions to millions of zombie drone machines hijacked by malicious hackers.

"The idea is to share information and figure out where the botnets are getting their instructions from. Once we can identify the command-and-control server, we can act quickly to get it disabled. Once the head goes, that botnet is largely useless," said Roger Thompson, director of malicious content research at Computer Associates International Inc.

Thompson, a veteran anti-virus researcher closely involved in the effort, said the group includes more than 100 computer experts (unofficially) representing anti-virus vendors, ISPs, educational institutions and dynamic DNS providers internationally.

Resource Library:

"Its just a bunch of good guys that have an interest in shutting down these botnets. We are dealing here with some very skilled and sophisticated attackers who have proven they know how to get around the existing defense systems," Thompson said in an interview with Ziff Davis Internet News.

Using data from IP flows passing through routers and reverse-engineering tools to peek under the hood of new Trojans, Thompson said the researchers are able to figure out how the botnet owner sends instructions to the compromised machines.

"Once we get our hands on the Trojan or we get one of our own machines compromised, we can easily observe what its doing and which server it is talking to," he said.

"We started off trying to pinpoint the individual drones and getting those shut off, but that approach hasnt worked. As soon as you clean one up, it is replaced by another 20 or 100. We had to shift the focus toward the command-and-control."

The C&C infrastructure is most often an IRC (Inter Relay Chat) server installed illegally on a high-bandwidth educational or corporate network. As Thompson explained, the botnet (short for "robot network") is a collection of broadband-enabled computers infected with worms and Trojans that leave back doors open for communication with the C&C.

Click here to read about a triple-barreled Trojan attack that builds botnets.

Earlier this month, anti-virus vendors spotted an alarming new virus attack that used three different Trojans— all communicating with each other—to disable anti-virus software and seed new botnets. Once a machine becomes infected, it automatically scans its own network to find other unpatched systems.

"It has reached a stage where we are sure we are dealing with very smart, very savvy people who know their way around anti-virus scanning engines. They have figured out that they can get in, quickly disable the armor, then go out and download instructions," Thompson said.

As the botnet grows, it becomes a lucrative asset to its owner, and Thompson said there is evidence that the compromised machines are being rented out for spam runs, distributed denial-of-service attacks linked to business blackmail and, more recently, for the distribution of adware/spyware programs.

Randal Vaughn, professor of computer information systems at Baylor University, is the man responsible for gathering data and compiling statistics for the drone armies research and mitigation mailing list, one of the more active vigilante efforts.

Next Page: Drones in multiple bot armies.





  Reader Comments: Botnet Hunters Search for Command and Control Servers
>>> Be the FIRST to comment on this article!
 


 
 
>>> More Network Security & Hardware Articles          >>> More By Ryan Naraine
 


xr۸0{\5|km]mGJɶkŲ,%^:U*$)x欗v8x %N&O2c["74Iȥ3!]ל۔\sPç}$5~M2i* d&@ jہ)}mk4 uB{#|6S%?w *s=NN5KԚLÆ|c&$ƾl dkdp,FcwO5drZC'AjZ$m(P8"X.wD~VhgeMQR`N Cw&tb9 Q)+X^DP~DM:ǎ-4qFwF̚?0/Pcw Ҵv;P;U{Q5h/E@^cBȡ[w4ɿT݉[͛ L=iLVG;%0Ãtf?Dk> NZ] Z3ˆ辥$)5= \o4QL1H6}~8MZ QK8Q+)Kk0~b[4Ip\.* }=-:ҍ}4 .j.9am S ϡdRr-2QɲnMwͰ-P6cMTjR>//ȣ-N|#[LV)UjT:( Ԙ:j`I%pa)ڱVR]F[V@aF%pfQU>ՠ}s}ɠ}zqri#|g9̠jPEf+gxo4X:nn9n;Wg>9ݐiɝF4qgs z_[z`ėO|g6~b M u ôW+ZxYtM!usJ ,ߖNelpFu1^Cj ݖUB_*Dȟ/Rzhf5 t @CX&%Ge" :u PsƊfCt-Mn #dh&ϭFh- @ho*K>h)9?&FȚb.L22z):-`i˫ TE嗋mESu3 (J!b^3E !\J!}! g|8Jn.b? [Z&ɻfmٝ҅%]Wc.LQcL NCu&vk}F׽~?u~]L3G# EhY7-vI%긦ժJjexQ9TߢW, NKP̷#ؠe)uvΆ8m`NQ}51'4} >'჎$>&΋Csi^XnL-sׇtw@>3OߺzL^TŞ+LКkCp# m .>ql8d$)s>yp;0& zVtc0TM@#,AX]7$>(@+9=PnȲc@|j Jg:r%Ea3C.O)))?CHPw9DJB!B&0H#`P r Tl@PGҥ;qjRF?7rZ |)r͌eV1Yg0VM&Drb/G EwOᙞ6ZlkՒVIdF E=4g!2D֑9H^>V "g˧q6MlJ~B=آf}T jrIiS#S7Ѿ+Վ5Z/us, %P$wS$l&U:9z@t-}=_T>s{|Sp1 6$M !ҧV L M SHb|PF8iFqm0 XbOG=F4W鉥k?i 'حCVQNgt3aK[6 ~\GwM{R^ `fٰZQJ1M 6D 8av-b>SCWѹsHV6ʼnGG ̂q=@+:2ppwEq ?t@8i#xZ `i@% LM{ri΋*8/nZyY,EZD]崲E M\Q's?ŵQz41s~3b_@7TvX/=5xEpsv-fdcDF4pbA=yM~pݎ3XA }Қ9k+^sD ӼX z3rJљ<`+=>]vAP,2Ͻ"ٍ*2)YDkS+)~%xD)sljy ͓0g|}'[QFn̷)AD)/jSh_tUMP}2YSYpg#KκVus|⇇a5}pu'< rõo7D yT^\lvbwNT%:@"c].g}]~k̼ITCGVUeH4ỵV3G e 4~=NEZЋg2|LJغħO-D/x_7)~b$EC9mA~RTT]\H#U\+ԊR/YTAtUﬤ%vdɮ0h W2&\|&_s6K(b(QQa LW*>wD>4Ϩ;cNb h4PG c+j`ej NXs-4NM6f&}~fMٸU f|2.izIRϢsw@&:8=._e2qi7(j-/$5HƝ?5?XP7|*i7IղAk JZ8qO;a#ҵLp ($jZ9 OYdY.eժR+o8N3Ay vBO|+tS1WOXL]\ tKOo%EDOCVi&gX&1W+sAlxqLL_w?C?kueqjb- WFhmx/nL10چŠqZ ,JQ?~ .HIc罫tv.? N;Nꈷ\;. {}Rn+}U\uD*&->\In]jFya8&PvB,& IŤ}vnuI7m}>8-odF4z7Nus%d}ڻM|sՖҽN zs5A AHλ#v< YE#̮B^[7ȧ5Ak;d4)$3pX#axK# DH[(`Y3 \/d]s>\zF_j,s9EψXT x-)[coc8 Z`!aoH:=X1aXH0]R ~tY}o .@AVB 0F_Th)4zuM<;knZ)p5[;E_%'k;tR-g[M7S+tY;D_q+5=?eU['u>!98ڗ>48tyI$ rFqxc`sAZd}leԉ9%r \${-~'0 clGQ(S)G*IZ;Ũ˲ ݖ4h9 :)Oz.?F(vH PLOҼe=lI1 iK"i$bbVfRoݺڞ6<5ޥ]ƙBNmK$hgcgSe֊(̗4.נed+ b->ϓFw3DL^KkȪegʺB n|Ā IzCD'zX,075^f ZEuq_3v l\NY* (s6 w"ExA-!gC>l{R,еlLd@T7CV #F}DkO,nk.;۰彠PFFĮUrkz Zt VdLjǥܷrtg GzҺoH09i}%XD2oBOH4b5~ſ|뢧,F r{k_=#g䢅y+nl(=hG_tڗ_e{qO r<]1hnh4lLgI")Vz57`\8%/+xx52Ӣ @7YM d3 To<4hɘAxl7B_7C]pb_s1T ;`o~ϤW*]c*o}VZtC.qB).Vd/)&%n.E L OKt1ڮ/=اHkyXdbS+Oف 1O O=qԶنǓǎC *4loZ*%)$2nHC%[euw+[S³$`DI@R(6-lG@|P;6 +|b1 <e_L·⎭zgQ$g IV_O\RGFt'0W􁜸!̞ 06t7on[S>43ˁms.gw2畏[ݧVC9ƩOP8 艗vGb;UuR1sUqm )vPvn|WEr>S۬%!_h 7<qx/OE5Ƒg8׍ Jbex/` 6&+ h':-7Ʉ!od!.qFHr a:H "w蛯;zhEJF+Aל/ jFi Ta:4,'ݏNeKx} kJOܱĽG3wI1t| A!D0@($,#0+0_mlnYqUYW MUI)IJuzCYh/%e sw^D)/ A rX/ 0$0Q B~7;UirP901K>RˆIynM{w -p:;Hʤ&u#R'.@:Ճ)H* 7|hJקyAZPBAA!<;`mPyWr()m|#䩭]I@\&o]+UHHڏ5cccc_?YV }CC 1ϝ;:i4Lh;ȗsBSKa ;%} NH!=]jo /oL0<`r!t3~K %]# [ѻg`opmcsj[ˇ[nLOaՖZ-|Gi>~j(5s -u!R yߓJ7t~.ݶgC9_8+& O8|/ oG9 .X Z@mɧ/2d㲌77r2(ԟC`<%^nvFݖz#$Gx0ha$=*'%gU_0N/wFuu:|SWث]An3knо3ݟ[0+<:" (f.a]XwQ8:Z@ߺz,S¿7Vp`z*t~|pG" 2Qmqmn[ˇ ˵ISP{>$ bxeb_"%^"K?<9_>$NXqDС\?Rt<Q {V-]ˇhFz}@eŢ*ҕ*`ANGԗ$gXToaoD #b\Wj#%V;ck_'lZaflc1ۈ]sch?}-3o_fBso+¿\3=m.vy/;qgW =a%?[޾ů_pJε,37=mO[")ˁr_CZÛ2`hmO]{䶗JAT=˻6۬W8>,fER  Z1ߦܓm_may&(>WȪhF̊>tdyVC}_?=g}F6ꇠd^ehh֒_fXsKJD:`E+⌉fae?J60: =S98Z"O}@5>-h νk(jZt_ڋK۪_l~n%gǂȼ l-^FړŇYİO:~8Ex%=6i[fǮ"Jfad$ƽ֑lE}`Ldkl긾XZa(_S3VGBA8AXJo,"%xaOhquQ%ϤHFpxIgztJZ"ΙTh,ZNtLĥkc.э~ZM9TWK.KBG2K*ߕlW1 {BZĻ+cSAN2AGuJUDZ!դNK: -5נ)؜>7-yM17bcCyll+=6j=!v?ͦvDWd󔽋wSzڽ9z<1rS5uea8unU,=ԘWa :|,M!"[Kx0c/cEhTHVSDc>TLĐljUwZ֏(E=4g|{3'5*>5BYQ@HȍF.񾠮5ef_KB ړn̝ W*ZTf0oq*!EO ?)vGN$ avż:?:6<6c;ZV]o^:]Y[CK`qG ̡ ݥ&Dm+i!"3csGπљF;qvCWIеARɠ{3eF-h>#Թ|'b^o9f0؞b*,9+] ͼj-%Vd]F-Rt > K?Lu G KG3 ?R)%o%:* oDad+nϪ5̍PrCnmuê5fjJیh-k(8O&׈1h @>'ny^mIz{ !sx}>a\ )U?kueqj);Y755 nYP8_AnKDb\i:&  )ECQ ܟ^j@*IgO4ی [ ӌ&,(LKt<.:W>m{A=~qLLROWы.4pb YOZ`Oh$}Yb-RW,db"@՘^_پm#?:}ۿl>FxX29k #ٟŻPd\ICdFoeq>GfCRO⺢l=>We~t6&nY! sQ>閣FMQpV#_~p3,ɏMWH-ݜ(8-zyPh$`z=9aita~{SdO (  @K1c~To֔J$r >*%n3IǪZImWv'0x)nV?-4W PRx 4 V cGCd2fqLun /? iv?Oo:׃N/{ Zѷhlԝs;tڻt޹j_t Gƿd&SRoβ4Uf~ʜP6u&\ «1.y.s9,tG_0te#tIt(%lGyї51ũ2M0l?1nO֖C|@Vȩkh7 r:x) ύBjsG8 SL~}: vn2=))-VNy{9g@vN)/?]N}/:Eg}yC:9L*~S ?/9599w~7>зC.ЧC. .g7?QFrs/"P.wsa|r *G~`rƯz_z9:?onrs ׇ9}}̡---mm$!(oY'NoR8'9B$_*Uy@a uuS~9@yL*Lcs\- {){?[vO{gy CNW\=o /ga#f^T)pFFS&@Y:'Q?Ѱs73Pj:} m .,D-l~ug+6meWw -]\AK5 D =bH[ˋB " ?s_;.q'z7 b2OF>ಓ:0Oqg_Vf}^$u60H-z _Z30ufI179L$6~gikMvn)1 {9;Kh.#0uﰟcOY|17(5""H "s{B|&cV^Rs1H woCShuz_ :F |m'\3PzSA۹&}מX? X&}#;o4 (OP"Sq}$=CfJ N_x!$~<>L!qZIo :33U)fkA/?H3軉fKFђkֱ8 CBqbldB*$CbgHYwт|*6(6XB 0G`wF:`s s"T)^M9D㦋vsɿعeWhJl;9QpMd2- !&# M;:ΏĨ Pr䁜21>^c *۳|?u3f[ŝA>h4M(Ƨ%ɷ |[b=̾J F ɮQ1ng`SwDl .7(./]& xUa!+e71K(Xp\'Al=k ;.[r"c<[_EڵlAtvl랮E?hymӕy9" 7]!Kb Ca]R>ǔK]'[٧$2y<-Rn/e;͌/^X (;FbV]!8N]RjÅ ,c<&ԭ<P8<00TM!vj]nFQXƺa#]QaW::6 n uywTM7']ecFPs,$,Hlc|} ra|X Q|޹MϏq`e]g0^o,eHc+qd! " $䤭k.Mui4,Mb=E<#O q~ 0n;F 6;葝(tg`D sJ]gۂq\׍k׶GS<"Y<.Ι"X= mG,@| W{څGSE6:|<;G_NJOk%I )f}frGn܌iBbq4hq#}ezЙJ؏pK8Ng)(Y^$ZLT/nD6N|a`|L2d8Ʌv1,:Gl+n:; 7X{EkR({W\~:)#M+`.gί>!2T!6xvhEiw#[7xIއ3)h,=R$DY; AH]:W񲞽P7wIr9̳?s7*ѡ~kyPVK%Gv36LZ\֓C\/muǍo=Y)l٦dT4K_hj*J5 }Ta,~XXqg;f†[hFIkomjU xZ%