"Rise of the Point-and-Click Botnet A kit lets beginners craft sophisticated attacks. By Robert Lemos Tuesday, February 23, 2010
"In 2005, a Russian hacker group known as UpLevel developed Zeus, a point-and-click program for creating and controlling a network of compromised computer systems, also known as a botnet. Five years of development later, the latest version of this software, which can be downloaded for free and requires very little technical skill to operate, is one of the most popular botnet platforms for spammers, fraudsters, and people who deal in stolen personal information."
- Technology Review -
formatting link
Actually this could also be used as the good guys "fire back" system!
Getting down to crawl in the gutter usually isn't the best idea. Given the possibility of IP spoofing (yes, it's possible - read the man page for nmap), how does this mode make you any better than the scammer?
Think about this one - a bad guy takes over another system on the same subnet of your ISP, and proceeds to wail the shit out of your systems using spoofed addresses. Such as IPs from a block owned by the (US) Department of Homeland Security, FBI, or the Border Protection Service. Just for jollies, let's also throw in the Canadian RCMP and Mexican Polica Federal. And you decide to retaliate... I could be wrong that "being stupid without a license" isn't a crime in all three countries, but a lot of people have raised children and don't buy the excuse that "[s]he started it". And all they can see is attacks coming from your system. Intentionally. Think that can't be done?
Where I work, we intentionally block access from/to all residential ranges we're aware of. We're one of the research facilities for the company, and thus we're not loosing customers by doing so.
Depends. In most cases, we don't see ``attacks'' because we limit access to our networks. Because our systems don't even complete the "three-way handshake" needed to initiate a TCP connection, skript kiddiez soon get bored and move on. Robotic stuff is usually well behaved, and moves on if a single connection attempt fails. They recognize we're not playing, and there are more targets for them to look at elsewhere. Two examples - the Chinese traffic to ports
7212, 8080, 8090, 9090, and similar is usually one packet per attempt - 40-ish octets/bytes up to several times an hour per IP address maximum from a relatively limited number of /20 blocks, and trivial to ignore. Opposite this was the windoze messenger spam (4-900 octets of UDP to ports 1025-1030, most often with randomly spoofed IP addresses. This was running 250-600 KB per address per day. With a single Internet IP, this isn't to bad, but that's an appreciable chunk of bandwidth when your presence is a /16 or larger. There were relatively simple ways to block this too.
Sometimes that doesn't work. Are the packets coming from "this" country? You _may_ be able to bring legal/criminal complaints (see your legal advisor - may not be worth the effort/expense). If the packets are coming from some "other" country, there probably isn't very much you can do other than asking your upstream to block. A point a lot of people forget is that in the _absence_ of a contract that says otherwise, a network entity doesn't have to accept traffic from everywhere. It's a variation on the response to spammers by mail administrators - "my network, my rules".
One other point to consider: We rarely bother logging rejected or blocked traffic on the firewall. It's blocked, and isn't going to be doing anything, so why bother? If we do block something we shouldn't (some legitimate need), we'll hear about it soon enough. We may turn on logging once in a while to see if anything has changed, but that's pretty rare.
I thought this was germane to what y'all are discussing:
formatting link
(might be an ad to skip(:
"But behind the scenes, Microsoft's legal action was just one component of a synchronized campaign to bring down Waledac.
Last year, researchers with the University of Mannheim in Germany and Technical University Vienna in Austria published a research paper showing how it was possible to infiltrate and control the Waledec botnet. They had studied Waledac's complicated peer-to-peer communication mechanism.
Microsoft -- which was annoyed by Waledec due to its spamming of Hotmail accounts -- contacted those researchers about two weeks ago to see if they could perform their attack for real, according one of the University of Mannheim researchers, who did not want to be identified.
"They asked me if there was also a way besides taking down those domains of redirecting the command-and-control traffic," said the Mannheim researcher.
Waledac distributes instructions through command-and-control servers that work with a peer-to-peer system. Led by a researcher who did his bachelor thesis on Waledac, the action began early this week.
"This was more or less an aggressive form of what we did before," the Mannheim researcher said. "We disrupted the peer-to-peer layer to redirect traffic not to botmaster servers but to our servers." "
I'll wait until I hear further from Gadi Evron (Israeli security guy) in a post to Bugtraq. He's published some interesting material to that mailing list about the various bot-nets.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.