[ISN] Bringing Botnets Out of the Shadows

InfoSec News isn at c4i.org
Wed Mar 22 02:39:08 EST 2006


By Brian Krebs
washingtonpost.com Staff Writer
March 21, 2006

Nicholas Albright's first foray into some of the darkest alleys of the
Internet came in November 2004, shortly after his father committed
suicide. About a month following his father's death, Albright
discovered that online criminals had broken into his dad's personal
computer and programmed it to serve as part of a worldwide,
distributed network for storing pirated software and movies.

Albright managed to get the network shuttered with a call to the
company providing the Internet access the criminals were using to
control it. From that day forward, Albright poured all of his free
time and pent-up anger over his father's death into assembling
"Shadowserver," a group of individuals dedicated to battling large,
remote-controlled herds of hacked personal PCs, also known as

Now 27, Albright supports his wife and two children as a dispatcher
for a health care company just outside of Boulder, Colo. When he is
not busy fielding calls, Albright is chatting online with fellow
Shadowserver members, trading intelligence on the most active and
elusive botnets. Each "bot" is a computer on which the controlling
hacker has installed specialized software that allows him to
commandeer many of its functions. Hackers use bots to further their
online schemes or as collection points for users' personal and
financial information.

"I take my [handheld computer] everywhere so I can keep tabs on the
botnets when I'm not at home," Albright said in a recent online chat
with a washingtonpost.com reporter. "I spend at least 16 hours a day
monitoring and updating."

On a Sunday afternoon in late February, Albright was lurking in an
online channel that a bot herder uses to control a network of more
than 1,400 hacked computers running Microsoft Windows software. The
hacker controlling this botnet was seeding infected machines with
"keyloggers," programs that can record whatever the victim types into
online login screens or other data-entry forms.

Albright had already intercepted and dissected a copy of the computer
worm that the attacker uses to seize control of computers -- an
operation that yielded the user name and password the hacker uses to
run the control channel. By pretending to be just another freshly
hacked bot reporting for duty, Albright passively monitors what the
hackers are doing with their botnets and collects information that an
Internet service provider would need to get the channel shut down.

Albright spied one infected PC reporting data about the online
activities of its oblivious owner -- from the detailed information
flowing across the wire, it was clear that one of the infected
computers belongs to a physician in Michigan.

"The botnet is running a keylogger, and I see patient data," Albright
said. The mere fact that the doctor's PC was infected with a keylogger
is a violation of the Health Insurance Portability and Accountability
Act (HIPAA), which requires physicians to take specific security
precautions to protect the integrity and confidentiality of patient
data. "The police need to be notified ASAP to get that machine off the

A little more than an hour and a few phone calls later, the doctor's
Internet service provider had disconnected the infected PC from its
network and alerted the physician. Albright sent an e-mail to the FBI
including all the evidence he collected about the attack, but he
wasn't terribly sanguine that the feds would do anything with it.

"Anything you submit to law enforcement may help later if an
investigation occurs," he said. "Chances are, though, it will just be
filed away in a database."

A Spreading Menace

Botnets are the workhorses of most online criminal enterprises today,
allowing hackers to ply their trade anonymously -- sending spam,
sowing infected PCs with adware from companies that pay for each
installation, or hosting fraudulent e-commerce and banking Web sites.

As the profit motive for creating botnets has grown, so has the number
of bot-infected PCs. David Dagon, a Ph.D. student at Georgia Tech who
has spent several years charting the global spread of botnets,
estimates that in the 13-month period ending in January, more than 13
million PCs around the world were infected with malicious code that
turned them into bots.

Botnets typically consist of Microsoft Windows machines that belong to
small-business or home-computer users who failed to secure their PCs
against hackers and viruses. Their machines are typically infected
when the user opens an infected e-mail attachment. While firewall and
anti-virus programs can help block such attacks, online criminals are
increasingly developing programs that evade detection or even disable
security software.

"What I've seen from my work with Shadowserver has blown me away,"  
said André M. Di Mino, 40, a private technology consultant from Bergen
County, N.J. Di Mino teamed up with the group in October after he left
a job as a chief information officer at a business-services company.

"I know many users within my former organization who felt that
anti-virus and spyware scanning would save them," Di Mino said.  
"However, now I see how many malicious files tied to major botnets
remain undetected" by the most popular anti-virus programs.

Catching Viruses With Honey

When he's not manning the deli counter at a supermarket in Liverpool,
England, 20-year-old Shadowserver member Dave Andrews is usually
poring over new computer virus specimens. (Unlike Andrews, the vast
majority of the volunteers are located in the United States.) Like
most other members, he began fiddling with computers and programming
at an early age.

Four months ago, Andrews was on track to become a computer-systems
engineer in the British military, but he said he was honorably
discharged on account of a recurring physical injury. Most of the
Shadowserver crew have backgrounds in computer security, and they are
all volunteers who spend most of their free time on the project.

Andrews's virus specimens were collected by an automated software tool
designed to catch new pieces of computer code that criminals use to
infect PCs and turn them into bots. Shadowserver locates bot networks
by deploying a series of "honeynets" -- sensors that mimic computers
with known security flaws -- in an effort to lure attackers, allowing
the group to capture samples of new bot programs.

Most bots spread by instructing new victims to download the attacker's
control program from a specific set of Web sites. By stripping out
those links, Shadowserver members can begin to build a map of the
attacker's network, information which is then shared with several
other botnet hunting groups, security volunteer groups, federal law
enforcement, and any affected ISPs or Web site hosts.

Each unique piece of intercepted bot code is run through nearly two
dozen anti-virus programs to determine if the code has already been
identified by security vendors. Shadowserver submits any new or
undetected specimens to the major anti-virus companies. Andrews said
he is constantly surprised by the sheer number of bot programs that do
not get flagged as malicious by any of the programs.

"Generally, one or two [correct identifications] is considered good,
but there are hundreds of bot programs that each anti-virus program
doesn't catch on their own," Andrews said.

In Andrews's experience, by far the most common reason criminals
create botnets these days -- other than perhaps to sell or rent them
to other criminals -- is to install online ad-serving software that
earns the attacker a few pennies per install.

"The majority of these [botmasters] are hardcore users who repeat over
and over, because it can earn them money by the installation of
adware," he said.

A Thankless Job

Even after the Shadowserver crew has convinced an ISP to shut down a
botmaster's command-and-control channel, most of the bots will remain
infected. Like lost sheep without a shepherd, the drones will
continually try to reconnect to the hacker's control server, unaware
that it no longer exists. In some cases, Albright said, a botmaster
who has been cut off from his command-and-control center will simply
wait a few days or weeks, then re-register the domain and reclaim
stranded bots.

"The botnets we've already shut down have a real possibility of
popping back up again tomorrow," Albright said.

Such constant attacks and setbacks can take an emotional toll on
volunteers who spend countless hours not only hunting down bot herders
but in many cases notifying the individuals or institutions whose
networks and systems the hackers have commandeered. This is largely a
thankless job, because in most cases the victims never even respond.

David Taylor, a senior information security specialist at the
University of Pennsylvania, knows all too well what botnet-hunting
burnout feels like. Taylor was invited to join Albright and the
Shadowserver crew following a story at washingtonpost.com detailing
his conversations with a botmaster named "Diabl0." The hacker bragged
about making money with his botnet through adware installations.  
(Diabl0 -- an 18-year-old Moroccan national named Farid Essebar -- was
eventually arrested on suspicion of authoring the "Zotob" worm that
infected hundreds of companies in a high-profile attack last fall.)

A few months ago, Taylor became obsessed with tracking a rather
unusual botnet consisting of computers running Mac OS X and Linux
operating systems. Working a week straight, Taylor located nearly all
of the infected machines and had some success notifying the owners of
those systems, but the Taiwanese ISP the hackers used to host their
control center repeatedly ignored his requests to shutter the site.

Since that incident, Taylor has distanced himself from bot hunting --
if only, he says, to make time for other interests. These days he
spends most of his spare hours doing something far less stressful --

"Bot hunting can really take over your personal life, because to do
this right you really have to stay on top of it -- it can't just be
something you do on the weekends," he said. "I guess it takes a
special type of person to be able to sustain botnet hunting. ... I
don't know anyone who pays people to do this kind of work."

Recent media attention to the Shadowserver project has generated
interest among a new crop of volunteers eager to deploy honeynet
sensors and contribute to the effort. Albright says he'll take all the
help he can get, but he worries that the next few years will bring
even more numerous and stealthy botnets.

"Even with all the sensors we have in place now, we're still catching
around 20 new unknown [bot programs] per week," he said. "Once we get
more sensors that number will probably double."

Albright said that while federal law enforcement has recently made
concerted efforts to reach out to groups like Shadowserver in hopes of
building a more effective partnership, they don't have the bodies, the
technology, or the legal leeway to act directly on the information the
groups provide.

"Our data can't be used to gather a warrant," Albright said. "Law
enforcement has to view the traffic first hand, and they are limited
on what and when they can view."

"It's going to get a lot worse in the next two years. We need a
taskforce or law enforcement agency to handle these types of
intrusions ... and that needs to be all they do," Albright said.  
"Sadly, without more law enforcement support this will remain a
chase-your-tail type game, because we won't ever really shut these
networks down until the bot master goes to jail, and his drones are

© 2006 Washingtonpost.Newsweek Interactive

More information about the ISN mailing list