Botnet Hunters Search for Command and Control Servers

Amid mounting evidence that the upsurge in virus activity is directly linked to the "botnets-for-hire" underworld, a group of high-profile security researchers bands together to identify and disable the drone zombies.

Convinced that the recent upswing in virus and Trojan attacks is directly linked to the creation of botnets for nefarious purposes, a group of high-profile security researchers is fighting back, vigilante-style.

The objective of the group, which operates on closed, invite-only mailing lists, is to pinpoint and ultimately disable the C&C (command-and-control) infrastructure that sends instructions to millions of zombie drone machines hijacked by malicious hackers.

"The idea is to share information and figure out where the botnets are getting their instructions from. Once we can identify the command-and-control server, we can act quickly to get it disabled. Once the head goes, that botnet is largely useless," said Roger Thompson, director of malicious content research at Computer Associates International Inc.

Thompson, a veteran anti-virus researcher closely involved in the effort, said the group includes more than 100 computer experts (unofficially) representing anti-virus vendors, ISPs, educational institutions and dynamic DNS providers internationally.

"Its just a bunch of good guys that have an interest in shutting down these botnets. We are dealing here with some very skilled and sophisticated attackers who have proven they know how to get around the existing defense systems," Thompson said in an interview with Ziff Davis Internet News.

Using data from IP flows passing through routers and reverse-engineering tools to peek under the hood of new Trojans, Thompson said the researchers are able to figure out how the botnet owner sends instructions to the compromised machines.

"Once we get our hands on the Trojan or we get one of our own machines compromised, we can easily observe what its doing and which server it is talking to," he said.

"We started off trying to pinpoint the individual drones and getting those shut off, but that approach hasnt worked. As soon as you clean one up, it is replaced by another 20 or 100. We had to shift the focus toward the command-and-control."

The C&C infrastructure is most often an IRC (Inter Relay Chat) server installed illegally on a high-bandwidth educational or corporate network. As Thompson explained, the botnet (short for "robot network") is a collection of broadband-enabled computers infected with worms and Trojans that leave back doors open for communication with the C&C.

/zimages/2/28571.gifClick here to read about a triple-barreled Trojan attack that builds botnets.

Earlier this month, anti-virus vendors spotted an alarming new virus attack that used three different Trojans— all communicating with each other—to disable anti-virus software and seed new botnets. Once a machine becomes infected, it automatically scans its own network to find other unpatched systems.

"It has reached a stage where we are sure we are dealing with very smart, very savvy people who know their way around anti-virus scanning engines. They have figured out that they can get in, quickly disable the armor, then go out and download instructions," Thompson said.

As the botnet grows, it becomes a lucrative asset to its owner, and Thompson said there is evidence that the compromised machines are being rented out for spam runs, distributed denial-of-service attacks linked to business blackmail and, more recently, for the distribution of adware/spyware programs.

Randal Vaughn, professor of computer information systems at Baylor University, is the man responsible for gathering data and compiling statistics for the drone armies research and mitigation mailing list, one of the more active vigilante efforts.

Next Page: Drones in multiple bot armies.