The ongoing struggle between botnet operators and the security researchers who look for ways to shut them down is almost as much cloak-and-dagger as it is alerts and software solutions.
At the RSA Conference here Feb. 7, two security researchers demonstrated their techniques for catching botnet operators, who use secret legions of infected computers to distribute malware programs and violent political propaganda.
The botnet experts, both employed by anti-malware software maker FaceTime Communications, of Foster City, Calif., detailed their work to identify and pursue individuals responsible for running a pair of sophisticated botnet schemes that subsequently have been shut down or forced to significantly scale back their criminal efforts.
Addressing a packed room of conference attendees, Chris Boyd, director of malware research at FaceTimes Security Labs, and Wayne Porter, director of special research for FaceTime Communications, said they infiltrated the botnet community to find those responsible for running underground networks believed to have harbored up to 150,000 compromised computers.
One botnet uncovered by the researchers and based in the United States was used to deliver malware code, including spyware that stole credit card data from e-commerce systems. The other crimeware distribution campaign appears to have been used by radical Middle Eastern ideologists to espouse violent messages and steal money to be used to buy satellites, radios and computer equipment.
Porter and Boyd offered a rare glimpse into the world of botnet herders—a world the researchers entered by hanging out on the shady online bulletin boards and chat relays where schemers meet to share tricks and their malware programs. By luring the prolific fraudsters to offer details about their work and by spying on them, the researchers said they pieced together the identities of several of the herders and helped take down their networks.
In the case of the U.S.-based botnet, which was made up of two zombie networks, the operators secretly distributed a commercially available remote computer management application made by Famatech to unsuspecting users via instant messaging systems and hid the program on their devices. Once installed, the operators used the software to load malware onto the machines, including a Perl script dubbed "Carder" that takes advantage of holes in several e-commerce shopping cart applications to steal peoples user names, passwords, credit card numbers and PayPal account information.
Starting with a tip from another malware researcher identified by the screen name Rince, Boyd—often identified by his own online alter-identity, Paper Ghost—said the sophisticated con game began to unravel.
After laying out honeypots to help find the signature work of two of the suspected botnet purveyors, known by the monikers MC-Zero and Ink, Boyd said the researchers found their quarry and began examining posts they made to shadowy sites in which they bragged about their attacks.
By taking the information the scammers unknowingly handed over—which included pictures of their homes and cars—and determining where the individuals lived and carried out their work, the security experts were able to partner with ISPs to get the criminals respective botnets shut down.
In the case of the other zombie net, run by a group identifying itself as the Q8Army, individuals used IM-borne adware programs to deliver malware root kits that stole the credit card information to commit fraud. The programs also served up pop-ups that carried URLs of militant Arabic Web sites that endorsed violent means for achieving "world domination," the researchers said.
Using a paper trail left by some of the URLs and related fraudulent transactions, the researchers traced the groups origin to unidentified positions in the Middle East and observed that some of the stolen funds were being used to buy mobile communications gear and used PCs.
After discovering the Q8Armys home page, which carried custom hacking tools, programs for generating Trojan viruses and other malware applications, the researchers were able to have a set of U.S.-based servers used by the group taken offline, although the individuals remain active on systems located in Germany and the Middle East, Boyd said.