|
|
|
Botnet Stalkers Share Takedown Tactics at RSA
By: Matt Hines
2007-02-08
Article Rating: / 2
There are 0 user comments on this Network Security & Hardware story.
Botnet Stalkers Share Takedown Tactics at RSA (
Page 1 of 2 ) Security researchers who specialize in the infiltration and pursuit of botnet operators lay out their methods for finding, monitoring and shutting down individuals who control networks of infected computers.SAN FRANCISCO—A pair of security researchers speaking here at the ongoing RSA Conference Feb. 7 demonstrated their techniques for catching botnet operators who use secret legions of infected computers to distribute malware programs and violent political propaganda.
The botnet experts, both of whom are employed by anti-malware software maker FaceTime Communications, based in Foster City, Calif., detailed how they identified and pursued individuals believed to be responsible for running a pair of sophisticated botnet schemes, which have been subsequently shut down or significantly scaled back.
Addressing a packed room of conference attendees, Chris Boyd, director of malware research at FaceTime Security Labs, and Wayne Porter, director of special research for the company, detailed their efforts to infiltrate the botnet community and find the people responsible for running underground networks believed to have harbored as many as 150,000 compromised computers.
 This eVideo shows how to defend against botnet infestations. Watch it here.
One of the botnets uncovered by the researchers was based in the United States and was used to deliver malware code including spyware that stole credit card data from e-commerce systems for the purpose of committing fraud. The other crimeware distribution campaign appears to have been used by radical Middle Eastern ideologists to espouse violent messages of world domination and steal money to buy satellites, radios and computer equipment.
Porter and Boyd offered a rare inside glimpse into the world of botnet herders, which the researchers entered by hanging out on the shady online bulletin boards and chat relays where the schemers meet to share the tricks of the trade and their malware programs. By luring the prolific fraudsters to offer details about their work, and spying on the criminals, the researchers claim to have pieced together the identities of several of the unsavory individuals and helped take down their networks of subverted machines.
In the case of the U.S.-based botnet, which was actually made up of two zombie networks, the operators secretly distributed a commercially available remote computer management application made by Famatech to unsuspecting end users via instant messaging systems and hid the program on their devices. Once the software was installed, the devious parties used it to load malware onto the machines, including a Perl script dubbed "Carder," which takes advantage of holes in several e-commerce shopping cart applications to steal peoples usernames, passwords, credit card numbers and PayPal account information.
Starting with a tip from another malware researcher identified only by the screen name "Rince" about the people believed to be responsible for running the zombie network, FaceTimes Boyd—who is often identified by his own online alter-identity, "Paper Ghost"—said the sophisticated con game began to unravel.
Is the botnet battle already lost? eWEEK goes to one companys research facility to study live botnets in action. Click here to see what they found.
After laying out so-called honey pots in hopes of finding the signature work of two of the suspected botnet purveyors, known by the comic booklike villain monikers MC-Zero and Ink, Boyd said the researchers found their quarry and began examining posts the individuals made to shadowy sites in which they bragged about elements of their attacks.
"You have to be careful that people arent just yanking your chain, but we tried to use social engineering to get as much information as possible about these botnets," Boyd said. "You have to get information from nontraditional channels, and working with Rince we were soon looking at live feeds of their IRC chats."
By taking the information the scammers unknowingly handed over to the researchers—which included pictures of their homes and cars—and determining where the individuals lived and carried out their work, the security experts were able to partner with ISPs to get the criminals respective botnets shut down.
Next Page: Tracking down the other zombie net.
|
|
�������x}ks۸q�f89��zۑR-:,�KOJK1Eꐔ�?q?q��%N&s7-�`�n4���~$IM�kmJ9;D�{{?&ЇP|oS�o92t=z#�m��)>M3ة��5���5Gl&J~x#AT�{��j �xL5�uƚ�}ٚc7h2 X�-$(�k�N�մ�<ڴ�$�)qHÑh]
!YQ��ږyD6�G�Ha��T~l]\��r m�+ FַRߙ+0QT�&*rp4M2�A�1q,{/B�rM7JQ߹�ZV�H+(.##-byOa`%�pfQUrn�OgsKߺnZ:9?nΐ}3�fP+�M�~(#3h�ؕgxg�_:nNo9nڗݛ�9^Iɝ{N4ps
Z_Zz�`KėvO|��SQ�&�:aZ+U"3t=jI�o]}8h$7�Y>ퟒ;��;Beu#�7�ReQ
�o̱n>�@|ˤd6M2T��a��]N�j__ѬZxka
4�+@_x0N�D=�f�M�s,e��g{0A�M)��61tG��v!fBy+M)���z@@�ZR~nV(�U7$ٛ�"G�;�ž_��"ʥ��c�p1S{�.Ӱu�irq���ZoV͉*]XYu�jZl�E?´;\g8k5�[wսuS5ߵ`Ub}Phv�ZM]�qsuTSt*Zl:�o7RQ�^Tjr[�h��2ud8��:AGA�ticšh4έ@7&��h`C}ҍ:L��?
wG|h��x:,,Abχ�&a`M?�FAтMz>t�T�;�]|�2��Zw�9ܻ-L&w��z
�JC�ˋ�F0����P6��x���Be^~�}�¢��1O�[>ȁ=�`Mtև
&��QsnPB�f�x?Ȝ+)
��Ttu�{�l��p>hBJmH�w6q��J[Y�*,b3)4j+zF
���o�f`�׆ �K ؈㌑�ҵ�3Kw��EeוּJM!jFd>n�'�[ar�S��hfh:l�<}6:Hy5՝5̆RPIڏ9&�_G5�k�^��ˣ6Wȵm>2躢G�Ʊ4g3t%ұy�4���h_G3kHb4"T2paLH�a0S]�e�lQؼ;(kN�4:E�80�GeCf+[ꭧ;�T+[pfۻ(�Sܧ&�;alâ˘c_���#���1$6/Pk
:0!/�P��\Q-W0.#_L��_LU1(TO�nʻhC�z-X]>L,',@��УCkz]W9,#߬'h�h<]HjP6C+jrTT+
qvJwq�)4�� �l2{{Oe֛OJm@o(�[�gn�%W#s3/�x/ &1h'0^+'o@|�V_ﬡ>]Ik0�1Sle`Sxt(�b*��䪢#?݀�έ�.�#��Џ]����Mt��Ak[�,
�ܠYC�aiϖҚZ-�V,?A�@�ޯќ�)oE`���9^R˶SL*H@8��u<|[\Y3
Q�|5z0bƏQ�ajY[�ສTjՂʾ_iW�c7g)h�"QkF&:�FdH�tΈ+6RNT8ͯ!�q�>:(TX�7gmE{H^ac7U�[@o�F)�/Z'W'&hT�JE,}&-njvJѷ�p]g8ý�?��,tljq
c0:g<�}'�YQ�BnG�Գ(AD &�
/��j�h_��tUM+%P`|,4̩,F�lؤκV:9�Se>e'ß~Vf7oQ*\
ZGqOX7n3_�"�>sԳйtNsl s
�ܒ;� k@X'V-(7ϙ40p�2^=uK6,^ira;9Qo@H�ms11� ZoH$;QOH{�e?f#�Z7pTJJ\�
$J+A:er,×o~a51r&]X4�N>��2Q&OB�8Jh-[r_�A~�V0u^A##ȫͦ'0k(j'�fcO7)~�}$DC9km�z~�RTP�]\Hӛ&#UX)TԒP/YTAtevdi&x9L�5�Ll�'P`�R(S&Z�D�]Rx*+nQ/ew���S? &i���^IW�:.k��y*1�a2N$D
knIG:��a��F*ݔ[Y`'\U%P-HjYt�>80xn�X N��zW�8pL\'e�M=J6z7EM+v@l+J9wwGc&���Q@Z: GYdQ.��|eR)*`7�%�ɠ��K=� �j ;!�O}+�tS��Z1�wOXO\dK!O�o%EDOC�Vj�gX&1W+�ʬڼ f@48&�;W���ZU}�"}QL
ޟp�ف���#�{?J�nڧCR>Y/5;OxDŽ�u�_u{~{yH�Dyy���D߫�KKx�iïRCR:"*yTjwZb8�}�LAIP
��4�p>"i�CO"yzھ|']w�Y?`�yA�n�8I{O�eKJ:^w��9" 5/.�Y�F�>9h5ÏO�M1k�0vhR`Q��fjmX#�ǎFD_�!m
Be\קk,�S�VXKr!�}&�=C٠l�Gkh�N؆{+^�+[�̚_�f·ńB?JNx0�(G��@�RPOh�[#N۽vZgp6"�
Bt�X�1t�e�}E/R)Q\(뉞�OYi{L�$)��(9Q{_[a(ۗo1Mr!}J_cN/Ͳi<"��]{pУXJqkGҽ8 $ubSP݃�.Zr;�0y!D(��o��l�"HtSݏkԛC2L:�&r֚S�%[@csOӖO|�B�a�J;Da2�u?Is6�uYX�[��NhA�S:%ə$�F�=�)�*ښIդ"8I5F4A2
uIH?
Md�4XPW
Pق��'59ܻ8�^]۹m|d`��=`l)Za�"|)Nr
>i^�`e>�%;yRb�QגZ4ҫoeW!9���|D�s`*�=S�L aʕCrWkb~�]4ZU$=ݝ:�F`�cIŃ
O�~ؑq��eީӊ�N|�u�+KׅN�o͗�W�3k{R̵jПdeNx>HАYc=p>}䌜00;z[�ue's�
CW+�t8niamǡ8�
��0^t,4P$yUZ/WU�$]d%�
>�Yx�2�&nulځ{�-�3(��#{F-^^3{K�WKx>*~�GL��w.�z@z@pw�{Zg%QJW=�(qM@jjiAr\"~^YZ�䑽D���Hڃ}co[#D:*pc^tO�xc�Z�yi�襖N4�?W9w�Bf#A�VާA3�,}gG|{�+bQ�Ţ<:��a
&rޓc7p($�7iP(jϤAߝ3�<@;(?u|Nz �NCL%}�$ͷ6/�SO�sM�s���5L�xpcȂ��p{�h�KayD)TsY@�&NuBu'1cngH/5ijD��SKb\j�
�^G|tR�Cn٤N�x"1B:{c�v⬚�%mk*8g�כ�{o�tSX-IJg}v�Nb� ��[%ʑm�uTERFyqHtY���RR1~=J#דΩ=`��J\�0XHv[�a}[,;%B"xcW`ԶsՕgk2AئTrGRo�B,a�d3WR�SqH�!�#H(Ɛ-ڙ�!�vź�(UҶʗL%XخOSׅԜ N`q,`@�FbpC8oXޒ���7v>R3, S�K]�'yqwwwww\VjX_rD�W+u���P�j;��B�/L|됈��[ YX?(�S+OQ H7v%+�)6�;CR(CܠXwTǹPO\O�Ä�^Qc]ż9�G
�:�IPv�3f?G9
Jfl#Q܈]cc/33,r|^5�GH�Kq!b��/�>NX�a~�#̷DeůЊc=m0o}Ġ��C� ^@���= ��mqml[s(L�6:n�
km}�Z�'n�vRzJxHܱ;;V0G\ML_*
-e\4u`tS.f�Do0�_�5=y2;M�sȋl�lxmzm/
Q�Nkv�mXï^{@fERs��Z���ߦ�Lm_m�au#^�/{l��ȪhֲF�wt) R�2ײ#1}Ժԇ�
z�(� �ƗY'
[IHg�c;#}�b8cET2̭,Gdn{IÜ���ᶀH��y3�D/]�/c"�>&ܹJ�?�_��/K{~i[�OT��oqi~|W�siۋ@{�5�I��%1Y~�Gj���.P5)Z>fe6PC��-nx.C�4n;*��f�]=G?ځrU����Qo|֊�[NۓiΞCm�y| [D��pS\x?���*Ɲ@
�ϲ+G~���FVVrc[aty�^SQe~ۘBP8K[,z%Kpf�$&��iX3�CvOI
r�a{��B6��?E
�}�
MDp�vGSr@Ym�Ӷ|�01v%1h}PR�
#�=%1���{=c8gs8RG�5Śx�
�K-Fr59"@�� �Rxc�)�+h���x��B,p=&6�
ͤ<87%a8FS�Y�h9uS!cbj�\.he,zVdqK2&�/ #z�Й>��3&^s�ME�*^0H�Q�&b@JVH4i�s9xCQ58�{j���b�xc;Xy�ﹱ�Vy
6vn&}+m'h�zBRKo^;G'�ܬDM$
ܮrG܀��:�mQ�Na=DX�oh(��%}�y =���lMᗚkg烔K�pʭBף6:F�̽O
MĀ�l�*e9
JI-G�y=0|sݗǮV5U*�5�YQ7��L3=Dr�TXc>= `z�Ed#u��sg�楒V,T)[g? 8,��K&fM)D�&ǵtxZډ�BL�{�ߊS�g|[2@��
`ƖC_`wUqji\-c��
zve+laؕ{�
)�(�ȚX��t bJ n,�͎Sc:�&����)<]С���_�r@JIg4��ی ��Pm̼ϴ@GBSx�&�㗣Gd.$���qp5D�;���
roE�VIz# ,@gEꊍ\D��Q���EBcy�V=C}A.[7VߺU C�yѝ ��H�<�yS]ܴ�h,-L 4h��XԘ8@# C�O�
2+wCy2&.V�h�c>zS?�!嘭#!+^�bΑ,#֨n__R0F$u2��C:���ZF�h�IED#Thb��GB#&�^I79kN�-i`IkH���J���z0�s[ITPiF�c��cs6#&|?X}p H> �+&(?-p�E�
�{GLƙ;fQWs�@yT�H"bT4�]ΰ*�@�[�`g*���
s�n
Q&@Ĕ�v7U�I,�C/x�` 3��l :Lma`t��.t?�OgGA~2t:U0͇S+�fɻ3��:r�tT(ʁ�2|{�C�`�>�c�[7g��ΥiDZ<& .ycI�� 8�^yN4X+=7,X����A`��p���3�W�VjE)OBӁRs]��j)q>]]�{�ȠYV^*_#ӄ^I+\A]��/ �PIZ�
�W�}G��IS��k;G|мDκפIή[-p;n_Krܺ�(lkE/WQwqIYuuݾ}$�`
yjKyl2/*�˙͓Q�9lvZNS�ʩ`Sg̵,��"�^ûHKvE Gcqq�^ >Tw�D~Rv�}Y
Q��J_MӄGO!~iԊkm9�
g58ٙ/K_�9q�Ƨ6f}uR��\js���@1@C|k]N{5Bx_m^�;^d�B�P~ (By7�9�hp(?g@��Pa}y;8o/o�ӌr_;i_fC�52?A��"�>vNt�N��ɂ�dз�dЧ�w2�v2�O�/?Bnjs(?(�#�坌r�ˌ�̐K�ˌB�f.n~�+x*k���{/�>_?/�!>BǬrc�~�~�3w�7Y7�{�d�wɹN2!(ofY
�NoT�8�\8_Je�YW@a uyQ^�}VV<_`fk�W�t.�rf_�2��̭L_W'BX\jzr+�^e5�v+iA�-���{} yW��/"yeoR),� �AQfQ.�
3l?V\[[,Oн�ۺ{'
Jݓs+z`~J\]M�b}+r>VD=;bM�dG,DlG\%�[n3'Og6h{D��4k�{HO8�eyb�AZ-c�#]~�L(���(7].�6pqSn$/� 5`
�nsOkr>u5"[~|^YlفGh����O��WYn�-J�aġeCO�o�r�܌3:X�Z'�Oi�i]_6/�Ww-ЙO��>AݷDV�)pF �F�,RK|c ,>(�hعkjzrt5pÅ6@$~��,@���$u͇RiE�rT)~ܓN0lFp@Dd�xɪ"+Uw9 ط]�V++R�0�X\����^9�Q(Fuo*K0njy�=q̐g�a��1Vo1�BDO" ѱW";f]{We",d�'�æȗጽNۯX��ā`
�pTB�Pcoq�
=s]
�YI��4Ëܹ?|N�F��]�
� {{�[2gډ�e�:��̔q8�i;Ìs,�iށzxmV=�ȾwF=C��x
uY
P,�#V}U#"0�;��Vӄ.�w�Ńq`a\m�8JI�(�q�0vF�H770���4.ޘČkK$LfLdC�om§On3A ��~7��m
�o1I45~�ɱf�(�W �k�DF(�t#b́Pl@PJ]Xv&^6�\�ؓJq}�l8=;t؆"4��]ݸ3EK~'xR
��Hn2o`5�svԡ:D@z_L& �\v�i��dl(3��/DBlv����K=c/,g.S=v�`胙�&�G�� ?Z�>KGJL�Ǝ�$z�S߂93r^���]�ɡ=��$>}T.q
5sE�Eב�E,&JhӄZ�{J�fBZy}�M(A7
~ł霰�)#,|HnLt6q�>+s�o�-�"~e%�v�
cT��F\�gȌa)x�Dw>QcС�_456��:\-5,l$9�=�A�Sh4�ϛW5���EXI%�9wvgcw[/AI)�H[aʹD.v�VAxrx*�D�IxrHqpC>��~�EE~!OG
ϻy�Hj(t��I`S�& ���,M,G۔y?�;ױ)�
Mm'#8�4B�>ؼlQ%�76x��}�҄I(L/Tvy*�*>�% �/� �i%:Ɛ�=-���)0�p,\f�tO#m<�`
G&ʖ$߀)0t�oA�s^nT "+1�
<&�Fߟ�2"�L�-� �ԦLSw(\*],1Ał?�vLw�9�9jE Ǣ8"U]ۼ�x[9�ԋO0xmѕhOɬql>-��/#]^$&+$~Il=fu;+W�rcd+�{f�:eP>EX�l'!R-+�K�ei$Vi؍�5-E6*�Ѝ5�ϰ|3'5ȱ
ya1 g�{y6W=?5z��l�vf>a:=YʐLW\�D�I
qk.-�ua4,Lb9��"[^QI�(`�vX�3�|"@a)5|d�n�~ӧ�f<�4W�6AĶq��ytʵ-���ˉ;{dy/�|gvC�%�=\s.&tĵa=�!an%nǝl| �n%96L]_�[�
P�1-f)��
|
Network Security & Hardware 
