Re: Disassembling botnets

From: Felikz (securityfocus_at_felikz.net)
Date: 04/06/05

  • Next message: Bob the Builder: "Gathering volatile information" 
    Date: Wed, 06 Apr 2005 20:00:54 +0100
To: incidents@securityfocus.com

    If you are, or the attack is coming from or via the UK, then the NHTCU
    would be a place to start.

    http://www.nhtcu.org/

    P.B. Wagenaar wrote:

    >Hi Commander Z!
    >
    >Well it isn't your job to disable the botnet and close down irc servers. All
    >you can do is inform the ISP and report this all to the police. You are
    >right if you say that all this won't do you any good.
    >
    >If you want to see some 'action', you should start a civil case against the
    >ISP hosting the IRC network. It might sound wrong, but this will wake the
    >ISP up and they will take the matter very seriously. Ofcourse you don't want
    >to make the ISP pay for what some hacker did, but this might make them go
    >after the hacker behind the botnet.
    >
    >Send them a bill for your damages and wait for their response.
    >
    >Philip Wagenaar
    >
    >-----Oorspronkelijk bericht-----
    >Van: Z [mailto:commander_uk@yahoo.com]
    >Verzonden: woensdag 6 april 2005 2:17
    >Aan: incidents@securityfocus.com
    >Onderwerp: Disassembling botnets
    >
    >Hello all,
    >As a recent victim of a sustained DDoS attack I decided to investigate a
    >little further into the attack source. One of the compromised machines that
    >was attacking was serving files on a modified FTP server sitting on a random
    >port.
    >
    >I downloaded the file, a packed/crypted .exe file (NAV didn't find anything)
    >that is obviously a DDoS agent.
    >Running in a simulated environment, I found the DNS name of the IRC server
    >it connects to, which at present resolves to an obviously compromised
    >machine on a residential ISP. I joined the IRC server using techniques
    >described in http://www.honeynet.org/papers/bots/ and found to my dismay
    >around 2,000 other compromised users on an obvious botnet IRC server.
    >
    >Now, what are my next steps? Obviously if I complain to the ISP hosting the
    >IRC server they will just update the DNS name and move the operation
    >elsewhere.
    >The domain appears to use managed DNS hosting (ie no 3rd party nameservers
    >as best as I can tell), so would the registrar even consider taking it down
    >based on one report of a single A record pointing to a DDoS net? I really
    >want to have those responsible brought to justice, but based on my
    >complaints to previous ISPs of the largest attackers on the DDoS net, I'm
    >afraid all I'll get is a canned "We have informed the customer" or similar
    >response. It seems I'll only get one chance at this before they take off to
    >another box. I'd really like to get some kind of law enforcement involved,
    >but don't know where to start:
    >Me and my server are in different countries and this essentially a personal
    >attack on me - no businesses are involved.
    >
    >Any thoughts or advice would be appreciated.
    >
    >Thanks.
    >
    >
    >Send instant messages to your online friends http://uk.messenger.yahoo.com
    >
    >--------------------------------------------------------------------------
    >Test Your IDS
    >
    >Is your IDS deployed correctly?
    >Find out quickly and easily by testing it with real-world attacks from CORE
    >IMPACT.
    >Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    >to learn more.
    >--------------------------------------------------------------------------
    >
    >
    >

    --------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from
    CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    to learn more.
    --------------------------------------------------------------------------

  • Next message: Bob the Builder: "Gathering volatile information"

    Relevant Pages

    • RE: Disassembling botnets
      ... Well it isn't your job to disable the botnet and close down irc servers. ... ISP hosting the IRC network. ... little further into the attack source. ... I found the DNS name of the IRC server ...
      (Incidents)
    • Re: DOS attack logged by Netgear router DG836G
      ... *** During these 10 hrs no PC was powered on, but the router is ... But basically you're screwed over for the duration of the attack. ... inside the ISP helped to get it blocked, or going with an ISP that ... Over to you to run a zillion name/password combos on the telnet port :-) ...
      (uk.telecom.broadband)
    • Re: Question about rsync
      ... server, through your switches and gateways on to your ISP, through the ... internet infrastructure, and back out at the other side" ... methodof attack as you. ... - the idea that you *always* need strong encryption for any transfer can ...
      (comp.os.linux.networking)
    • Re: Web site being attacked!
      ... My advice is to contact the ISP that owns the IP address of the attacker ... block the attacks, until the attack patterns change again. ... Yes, you want "IISlockdown" which contains URLscan, install all microsoft ... The Netscreen 5XP is a real commercial grade firewall with the same features ...
      (microsoft.public.win2000.security)
    • Re: Dealing with script kiddies
      ... If I get a repeated attack ... and if I'm pissed because the bagel place was out of garlic ... >> to law enforcement networks, including the FBI, so I can let the ISP ... > security, not the technical side, so I'm not always _au courant_ with the ...
      (microsoft.public.inetserver.iis.security)