RE: Disassembling botnets

From: P.B. Wagenaar (PB.Wagenaar_at_chello.nl)
Date: 04/06/05

  • Next message: Harlan Carvey: "Re: Disassembling botnets"
    Date: Wed, 06 Apr 2005 16:16:11 +0200
    To: incidents@securityfocus.com
    
    

    Hi Commander Z!

    Well it isn't your job to disable the botnet and close down irc servers. All
    you can do is inform the ISP and report this all to the police. You are
    right if you say that all this won't do you any good.

    If you want to see some 'action', you should start a civil case against the
    ISP hosting the IRC network. It might sound wrong, but this will wake the
    ISP up and they will take the matter very seriously. Ofcourse you don't want
    to make the ISP pay for what some hacker did, but this might make them go
    after the hacker behind the botnet.

    Send them a bill for your damages and wait for their response.

    Philip Wagenaar
     
    -----Oorspronkelijk bericht-----
    Van: Z [mailto:commander_uk@yahoo.com]
    Verzonden: woensdag 6 april 2005 2:17
    Aan: incidents@securityfocus.com
    Onderwerp: Disassembling botnets

    Hello all,
    As a recent victim of a sustained DDoS attack I decided to investigate a
    little further into the attack source. One of the compromised machines that
    was attacking was serving files on a modified FTP server sitting on a random
    port.

    I downloaded the file, a packed/crypted .exe file (NAV didn't find anything)
    that is obviously a DDoS agent.
    Running in a simulated environment, I found the DNS name of the IRC server
    it connects to, which at present resolves to an obviously compromised
    machine on a residential ISP. I joined the IRC server using techniques
    described in http://www.honeynet.org/papers/bots/ and found to my dismay
    around 2,000 other compromised users on an obvious botnet IRC server.

    Now, what are my next steps? Obviously if I complain to the ISP hosting the
    IRC server they will just update the DNS name and move the operation
    elsewhere.
    The domain appears to use managed DNS hosting (ie no 3rd party nameservers
    as best as I can tell), so would the registrar even consider taking it down
    based on one report of a single A record pointing to a DDoS net? I really
    want to have those responsible brought to justice, but based on my
    complaints to previous ISPs of the largest attackers on the DDoS net, I'm
    afraid all I'll get is a canned "We have informed the customer" or similar
    response. It seems I'll only get one chance at this before they take off to
    another box. I'd really like to get some kind of law enforcement involved,
    but don't know where to start:
    Me and my server are in different countries and this essentially a personal
    attack on me - no businesses are involved.

    Any thoughts or advice would be appreciated.

    Thanks.

    Send instant messages to your online friends http://uk.messenger.yahoo.com

    --------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from CORE
    IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    to learn more.
    --------------------------------------------------------------------------

    -- 
    I am using the free version of SPAMfighter for private users.
    It has removed 906 spam emails to date.
    Paying users do not have this message in their emails.
    Try www.SPAMfighter.com for free now!
    --------------------------------------------------------------------------
    Test Your IDS
    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from 
    CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
    to learn more.
    --------------------------------------------------------------------------
    

  • Next message: Harlan Carvey: "Re: Disassembling botnets"

    Relevant Pages

    • Re: Disassembling botnets
      ... If you are, or the attack is coming from or via the UK, then the NHTCU ... >you can do is inform the ISP and report this all to the police. ... I joined the IRC server using techniques ... >complaints to previous ISPs of the largest attackers on the DDoS net, ...
      (Incidents)
    • Re: DOS attack logged by Netgear router DG836G
      ... *** During these 10 hrs no PC was powered on, but the router is ... But basically you're screwed over for the duration of the attack. ... inside the ISP helped to get it blocked, or going with an ISP that ... Over to you to run a zillion name/password combos on the telnet port :-) ...
      (uk.telecom.broadband)
    • Re: Question about rsync
      ... server, through your switches and gateways on to your ISP, through the ... internet infrastructure, and back out at the other side" ... methodof attack as you. ... - the idea that you *always* need strong encryption for any transfer can ...
      (comp.os.linux.networking)
    • Re: Web site being attacked!
      ... My advice is to contact the ISP that owns the IP address of the attacker ... block the attacks, until the attack patterns change again. ... Yes, you want "IISlockdown" which contains URLscan, install all microsoft ... The Netscreen 5XP is a real commercial grade firewall with the same features ...
      (microsoft.public.win2000.security)
    • Re: Dealing with script kiddies
      ... If I get a repeated attack ... and if I'm pissed because the bagel place was out of garlic ... >> to law enforcement networks, including the FBI, so I can let the ISP ... > security, not the technical side, so I'm not always _au courant_ with the ...
      (microsoft.public.win2000.security)