Re: Disassembling botnets

From: Felikz (securityfocus_at_felikz.net)
Date: 04/06/05

  • Next message: Bob the Builder: "Gathering volatile information"
    Date: Wed, 06 Apr 2005 20:00:54 +0100
    To: incidents@securityfocus.com
    
    

    If you are, or the attack is coming from or via the UK, then the NHTCU
    would be a place to start.

    http://www.nhtcu.org/

    P.B. Wagenaar wrote:

    >Hi Commander Z!
    >
    >Well it isn't your job to disable the botnet and close down irc servers. All
    >you can do is inform the ISP and report this all to the police. You are
    >right if you say that all this won't do you any good.
    >
    >If you want to see some 'action', you should start a civil case against the
    >ISP hosting the IRC network. It might sound wrong, but this will wake the
    >ISP up and they will take the matter very seriously. Ofcourse you don't want
    >to make the ISP pay for what some hacker did, but this might make them go
    >after the hacker behind the botnet.
    >
    >Send them a bill for your damages and wait for their response.
    >
    >Philip Wagenaar
    >
    >-----Oorspronkelijk bericht-----
    >Van: Z [mailto:commander_uk@yahoo.com]
    >Verzonden: woensdag 6 april 2005 2:17
    >Aan: incidents@securityfocus.com
    >Onderwerp: Disassembling botnets
    >
    >Hello all,
    >As a recent victim of a sustained DDoS attack I decided to investigate a
    >little further into the attack source. One of the compromised machines that
    >was attacking was serving files on a modified FTP server sitting on a random
    >port.
    >
    >I downloaded the file, a packed/crypted .exe file (NAV didn't find anything)
    >that is obviously a DDoS agent.
    >Running in a simulated environment, I found the DNS name of the IRC server
    >it connects to, which at present resolves to an obviously compromised
    >machine on a residential ISP. I joined the IRC server using techniques
    >described in http://www.honeynet.org/papers/bots/ and found to my dismay
    >around 2,000 other compromised users on an obvious botnet IRC server.
    >
    >Now, what are my next steps? Obviously if I complain to the ISP hosting the
    >IRC server they will just update the DNS name and move the operation
    >elsewhere.
    >The domain appears to use managed DNS hosting (ie no 3rd party nameservers
    >as best as I can tell), so would the registrar even consider taking it down
    >based on one report of a single A record pointing to a DDoS net? I really
    >want to have those responsible brought to justice, but based on my
    >complaints to previous ISPs of the largest attackers on the DDoS net, I'm
    >afraid all I'll get is a canned "We have informed the customer" or similar
    >response. It seems I'll only get one chance at this before they take off to
    >another box. I'd really like to get some kind of law enforcement involved,
    >but don't know where to start:
    >Me and my server are in different countries and this essentially a personal
    >attack on me - no businesses are involved.
    >
    >Any thoughts or advice would be appreciated.
    >
    >Thanks.
    >
    >
    >Send instant messages to your online friends http://uk.messenger.yahoo.com
    >
    >--------------------------------------------------------------------------
    >Test Your IDS
    >
    >Is your IDS deployed correctly?
    >Find out quickly and easily by testing it with real-world attacks from CORE
    >IMPACT.
    >Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    >to learn more.
    >--------------------------------------------------------------------------
    >
    >
    >

    --------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from
    CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    to learn more.
    --------------------------------------------------------------------------


  • Next message: Bob the Builder: "Gathering volatile information"