Stop the bots

Knock 'em off, but do it the right way

Reducing security risks from open source software

There are clear legal and ethical issues involved in disabling botnets, especially when they involve thousands of machines that span dozens of countries with different legal systems. But doing nothing at all to stop them is worse than trying to help. I think too many people get caught up in the legal side of fighting back, however, when the very nature of botnets are a perversion of the internet. Knocking them offline is a good thing, you just have to do it the right way. I wish more people would fight this kind of evil - in their spare time - and try to clean things up. The benefits are reduced spam, fewer phishing scams, perhaps less spyware, fewer stolen identities, and the knowledge that you helped potentially thousands of people against what is now becoming organised crime.

A few smart people are doing this and documenting their efforts (article 1, article 2). Honeypots can be a great way to capture bot software and start to analyse what it does. There are a few cases of public "zombie hunters" and the "return of the web mob" where people are fighting botnets and willing to go public. I applaud their efforts, I just wish more people would join in.

If you have the technical ability to help solve this source of evil that affects millions of people, why would you sit back and just watch?<br/>

Disabling botnets

Disabling botnets is not easy, particularly when one needs to disassemble a Trojan just to figure out how the botnet works. Or sniff the traffic to see what it is doing. It’s beyond the technical ability of many people. Even so, it's still a big step from just logging in to actually disabling a botnet. But there are exceptions.

Some simple botnets exploit known vulnerabilities in web servers to download Perl scripts that cause the server to join an IRC channel and wait for commands. Check your web server logs. Most readers would have the ability to read the logs, find the attack attempt, download the script themselves, and see how it works. While this is a simple (but real) example, a short foray into the underworld by someone with good intentions of shutting a botnet down can be a fascinating experience. If a quick scan reveals that the botnet’s command center is vulnerable to a Teardrop attack or any simple vulnerability, would you not take it down? You definitely should.

With good intentions of fighting a known evil that harms people and the internet, I personally don’t have any ethical issues with people disbanding botnets - provided they don't give further harm to the bots themselves. I think disbanding a botnet is a very good thing to do. They cause so much harm and are used for so many illegal puposes. It’s a little vigilante, but very good for the internet. To do it right, you'd perhaps notify the rightful owners of every one of the computers that had been infected too, else the machines will only be infected by a different botnet. But there are real implications by doing this, too.

Some botnets even have the ability to distribute patches - but it’s used by the botnet operator to retain control, rather then patch and then release the machines that are compromised. And then there are botnets fighting other botnets, a turf war over machines that neither operator owns.

In fairytale land I can imagine someone gaining control of a botnet, distributing a patch to fix the compromised bots, and disbanding the botnet - but even this is wrought with potential harm as well. And one can argue that it’s not his responsibility to fight botnets. Agreed. It’s probably not. It’s really the realm of law enforcement to do this, but let’s be realistic and understand that their limited resources are pretty swamped as it is.

Hello, Skynet

The rise of the botnets may just be the great-grandfather of a Skynet in the distant future. It’s a disturbing trend of evil that is mostly unchecked by all but a few talented people and limited law enforcement. Today most botnets still use some kind of centralised command and control centre - a single point of failure, such as an IRC server. There’s a window of opportunity to shut them down before new peer-to-peer botnets become commonplace, which won't have any single point of failure.

The next generation is coming. It’s a worrisome trend. I wonder if we’ll start to do anything about it en masse in the coming dozen years, before the first signs of Skynet start to appear.

This article originally appeared in Security Focus.

Copyright © 2006, SecurityFocus

Kelly Martin has been working with networks and security since 1986, and he's editor for SecurityFocus, Symantec's online magazine.

Mobile application security vulnerability report

More from The Register

next story
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Microsoft: You NEED bad passwords and should re-use them a lot
Dirty QWERTY a perfect P@ssword1 for garbage websites
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
NUDE SNAPS AGENCY: NSA bods love 'showing off your saucy selfies'
Swapping other people's sexts is a fringe benefit, says Snowden
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
British data cops: We need greater powers and more money
You want data butt kicking, we need bigger boots - ICO
Crooks fling banking Trojan at Japanese smut site fans
Wait - they're doing online banking with an unpatched Windows PC?
NIST told to grow a pair and kick NSA to the curb
Lrn2crypto, oversight panel tells US govt's algorithm bods
prev story


Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Mobile application security vulnerability report
The alarming realities regarding the sheer number of applications vulnerable to attack, and the most common and easily addressable vulnerability errors.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.