[ISN] Shadowboxing With a Bot Herder

InfoSec News isn at c4i.org
Fri Mar 10 01:18:56 EST 2006


By Brian Krebs
March 9, 2006

Security Fix had an interesting online conversation Tuesday night with
a hacker who controls a vast, distributed network of hacked Microsoft
Windows computers, also known as a "botnet."

I went into the interview knowing very little about this individual,
other than his online alter ego, "Witlog," and that he has infected
close to 30,000 Windows PCs with his computer worm, which he claims is
powered by code that he downloaded from a Web site, modified slightly,
and set loose on the 'Net. I came away from the interview no more
knowledgeable about his background, age, location or motivation, but
perhaps with a stark reminder of how just a little bit of knowledge
can be such a dangerous thing.

Witlog claims he doesn't use his botnet for illegal purposes, only
"for fun." I found that claim pretty hard to believe given a) the
income he could make installing ad-serving software on each computer
under his control, combined with b) the risk he is taking of getting
caught breaking into so many computers. The kid I wrote about in the
Post magazine story on the connection between botnets and spyware was
making $6,000 to $10,000 per month installing adware on a botnet half
the size of the one Witlog claims to have.

I was introduced to Witlog through several security experts who are
part of the Shadowserver.org crew, a group of talented volunteers who
dedicate a great deal of their free time and energy toward making life
more difficult for bot herders like Witlog. Shadowserver has been
cataloging Witlog's every move for the past two months or so, and
shared with me records showing Witlog seeding his botnet with adware
from DollarRevenue.net, which pays distributors $0.30 for each install
of their pop-up ad-serving software on a computer in the United
States; distributors can earn $0.20 per install for Canadian PCs, and
ten cents per install for computers based in the United Kingdom.  
Installs on PCs in other countries net the distributor two cents or

Witlog admitted to me that he made at least $400 by installing adware
on his bots and conducting a petty distributed-denial-of-service
attack against a couple of Web sites that knocked them offline for a
while. For all I know, that could be the extent of it. He also
admitted that he lets his buddies use his botnet for their own
purposes, which he claims not to know much about.

But what blew me away was how he created the botnet, which is powered
by a worm that spreads only through known network security holes in
Microsoft Windows and which require no action on the part of the
victim other that the failure to apply security patches and (maybe)  
use a simple firewall. Had he decided to spread his worm through more
conventional means -- via Web links sent in instant message or as
attachments in e-mail -- his botnet could probably have grown to twice
its current size.

In this snippet of our conversation, I asked Witlog how and why he got
his botnet started:

Witlog: why i did it? i've read an article on yahoo or smth like this 
Witlog: so when i've read that article, i thought "why not to make my 
SecurityFix: so did you just download the source from some site and 
set it loose? 
Witlog: yes
Witlog: changed settings, and started it
Witlog: thats all
Witlog: anyone could do that
Witlog: you don't have to know many things to do a botnet like this

Over the past month and a half, Witlog used freely available source
code for SDBot and built his botnet to 45,000 PCs. That is, until
botnet hunters like Shadowserver and others put enough pressure on
Witlog's Internet service provider to shutter Witlog.com, the domain
name he was using to control his bot herd. That was only a temporary
setback for Witlog, however, who simply registered a new bot control
channel at Witlog.net. So far his network is back up to about 65
percent of its original size and growing by several thousand newly
infected machines per day.

But again, Witlog says it's not about size, it's all about the fun of
it. For guys like Witlog, building botnets can be akin to a kind of
digital hide and seek. On Monday, he began using a new version of the
code that runs his botnet (this is the sixth iteration). Less than 24
hours after he released it, the bot code was only detected as
malicious by two out of more than a dozen or so of the major
anti-virus scanners employed by the free virus-testing service over at
VirusTotal.com; Two other anti-virus engines flagged it as
"suspicious," but could not tell whether the file was overtly hostile.

Witlog may in fact be the product of a new generation of "script
kiddiez"; the chief distinguishing feature of this generation being
that instead of using Web site flaws to deface as many Web sites as
possible, these guys are breaking into thousands of home and work PCs
and taking them for a virtual joyride, often times all the way to the

And it's not just hacked home PCs we're talking about either.  
According to stats released this week by computer security giant
Symantec Corp., the most common computer operating system found in
botnets is Microsoft's Windows 2000, an OS predominantly used in
business environments. Indeed, the vast majority of bots in Witlog's
network were Win2K machines, and among the bots I saw were at least 40
computers owned by the Texas state government, as well as several
systems on foreign government networks. At least one machine that he
showed me from his botnet was located inside of a major U.S. defense

More information about the ISN mailing list