Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Botnet Stalkers Share Takedown Tactics at RSA

    By
    Matt Hines
    -
    February 8, 2007
    Share
    Facebook
    Twitter
    Linkedin

      SAN FRANCISCO—A pair of security researchers speaking here at the ongoing RSA Conference Feb. 7 demonstrated their techniques for catching botnet operators who use secret legions of infected computers to distribute malware programs and violent political propaganda.

      The botnet experts, both of whom are employed by anti-malware software maker FaceTime Communications, based in Foster City, Calif., detailed how they identified and pursued individuals believed to be responsible for running a pair of sophisticated botnet schemes, which have been subsequently shut down or significantly scaled back.

      Addressing a packed room of conference attendees, Chris Boyd, director of malware research at FaceTime Security Labs, and Wayne Porter, director of special research for the company, detailed their efforts to infiltrate the botnet community and find the people responsible for running underground networks believed to have harbored as many as 150,000 compromised computers.

      /zimages/1/28571.gifThis eVideo shows how to defend against botnet infestations. Watch it here.

      One of the botnets uncovered by the researchers was based in the United States and was used to deliver malware code including spyware that stole credit card data from e-commerce systems for the purpose of committing fraud. The other crimeware distribution campaign appears to have been used by radical Middle Eastern ideologists to espouse violent messages of world domination and steal money to buy satellites, radios and computer equipment.

      Porter and Boyd offered a rare inside glimpse into the world of botnet herders, which the researchers entered by hanging out on the shady online bulletin boards and chat relays where the schemers meet to share the tricks of the trade and their malware programs. By luring the prolific fraudsters to offer details about their work, and spying on the criminals, the researchers claim to have pieced together the identities of several of the unsavory individuals and helped take down their networks of subverted machines.

      In the case of the U.S.-based botnet, which was actually made up of two zombie networks, the operators secretly distributed a commercially available remote computer management application made by Famatech to unsuspecting end users via instant messaging systems and hid the program on their devices. Once the software was installed, the devious parties used it to load malware onto the machines, including a Perl script dubbed “Carder,” which takes advantage of holes in several e-commerce shopping cart applications to steal peoples usernames, passwords, credit card numbers and PayPal account information.

      Starting with a tip from another malware researcher identified only by the screen name “Rince” about the people believed to be responsible for running the zombie network, FaceTimes Boyd—who is often identified by his own online alter-identity, “Paper Ghost”—said the sophisticated con game began to unravel.

      /zimages/1/28571.gifIs the botnet battle already lost? eWEEK goes to one companys research facility to study live botnets in action. Click here to see what they found.

      After laying out so-called honey pots in hopes of finding the signature work of two of the suspected botnet purveyors, known by the comic booklike villain monikers MC-Zero and Ink, Boyd said the researchers found their quarry and began examining posts the individuals made to shadowy sites in which they bragged about elements of their attacks.

      “You have to be careful that people arent just yanking your chain, but we tried to use social engineering to get as much information as possible about these botnets,” Boyd said. “You have to get information from nontraditional channels, and working with Rince we were soon looking at live feeds of their IRC chats.”

      By taking the information the scammers unknowingly handed over to the researchers—which included pictures of their homes and cars—and determining where the individuals lived and carried out their work, the security experts were able to partner with ISPs to get the criminals respective botnets shut down.

      Next Page: Tracking down the other zombie net.

      Page 2

      In the case of the other zombie net, run by a group identifying itself as the Q8Army, individuals used IM-borne adware programs to deliver malware rootkits that stole credit card information for the purpose of committing fraud. The programs also served up pop-ups that carried URLs of militant Arabic Web sites that endorse violent means for achieving “world domination,” the researchers said.

      Using a paper trail left by some of the URLs and related fraudulent transactions, the researchers traced the groups origin to unidentified positions in the Middle East and observed that some of the stolen funds were being used to buy mobile communications gear and used PCs.

      After discovering the Q8Armys homepage, which carried custom hacking tools, programs for generating Trojan viruses and other malware applications, the researchers were able to have a set of U.S.-based servers used by the group taken offline, although the individuals remain active on systems located in Germany and the Middle East, according to Boyd.

      /zimages/1/28571.gifSecurity experts say rootkits are not just for hackers—private companies and cyber-criminals have a real interest in them. Click here to read more.

      The researchers said there will need to be even more widespread cooperation on the part of security experts, law enforcement officials and government regulators if more of the zombie computer networks are to be shuttered in the future. However, Boyd said it is smarter to take a slow approach that yields detailed information and more powerful results in identifying the scams, versus merely attacking the hijacked computers from which their work is being delivered.

      “There are an awful lot of botnets out there, which encourages a whack-a-mole approach to shutting them down,” said the researcher. “By following the people who are actually responsible and building a case behind the scenes, we can actually do a lot more damage to them.”

      FaceTimes Porter warned that the groups of criminals funding many of the zombie networks have amassed significant resources via their work and are increasingly luring unemployed programmers in countries including Russia to create new malware exploits that will help them continue to steal with success.

      While many botnets last for only days and do relatively little damage, based on the shoddy nature of their execution, the most sophisticated operators will continue to find new ways to stay one step ahead of their pursuers, according to the expert.

      “These groups now have significant research and development budgets, and weve literally seen billions of dollars flowing through these networks,” said Porter. “Even more scary—these botnet operators are mastering the art of contextual marketing and may become even more successful at delivering their attacks.”

      Check out eWEEK.coms Security Center for the latest security news, reviews and analysis.

      Matt Hines
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×