Feeds

Stop the bots

Knock 'em off, but do it the right way

Build a business case: developing custom apps

There are clear legal and ethical issues involved in disabling botnets, especially when they involve thousands of machines that span dozens of countries with different legal systems. But doing nothing at all to stop them is worse than trying to help. I think too many people get caught up in the legal side of fighting back, however, when the very nature of botnets are a perversion of the internet. Knocking them offline is a good thing, you just have to do it the right way. I wish more people would fight this kind of evil - in their spare time - and try to clean things up. The benefits are reduced spam, fewer phishing scams, perhaps less spyware, fewer stolen identities, and the knowledge that you helped potentially thousands of people against what is now becoming organised crime.

A few smart people are doing this and documenting their efforts (article 1, article 2). Honeypots can be a great way to capture bot software and start to analyse what it does. There are a few cases of public "zombie hunters" and the "return of the web mob" where people are fighting botnets and willing to go public. I applaud their efforts, I just wish more people would join in.

If you have the technical ability to help solve this source of evil that affects millions of people, why would you sit back and just watch?<br/>

Disabling botnets

Disabling botnets is not easy, particularly when one needs to disassemble a Trojan just to figure out how the botnet works. Or sniff the traffic to see what it is doing. It’s beyond the technical ability of many people. Even so, it's still a big step from just logging in to actually disabling a botnet. But there are exceptions.

Some simple botnets exploit known vulnerabilities in web servers to download Perl scripts that cause the server to join an IRC channel and wait for commands. Check your web server logs. Most readers would have the ability to read the logs, find the attack attempt, download the script themselves, and see how it works. While this is a simple (but real) example, a short foray into the underworld by someone with good intentions of shutting a botnet down can be a fascinating experience. If a quick scan reveals that the botnet’s command center is vulnerable to a Teardrop attack or any simple vulnerability, would you not take it down? You definitely should.

With good intentions of fighting a known evil that harms people and the internet, I personally don’t have any ethical issues with people disbanding botnets - provided they don't give further harm to the bots themselves. I think disbanding a botnet is a very good thing to do. They cause so much harm and are used for so many illegal puposes. It’s a little vigilante, but very good for the internet. To do it right, you'd perhaps notify the rightful owners of every one of the computers that had been infected too, else the machines will only be infected by a different botnet. But there are real implications by doing this, too.

Some botnets even have the ability to distribute patches - but it’s used by the botnet operator to retain control, rather then patch and then release the machines that are compromised. And then there are botnets fighting other botnets, a turf war over machines that neither operator owns.

In fairytale land I can imagine someone gaining control of a botnet, distributing a patch to fix the compromised bots, and disbanding the botnet - but even this is wrought with potential harm as well. And one can argue that it’s not his responsibility to fight botnets. Agreed. It’s probably not. It’s really the realm of law enforcement to do this, but let’s be realistic and understand that their limited resources are pretty swamped as it is.

Hello, Skynet

The rise of the botnets may just be the great-grandfather of a Skynet in the distant future. It’s a disturbing trend of evil that is mostly unchecked by all but a few talented people and limited law enforcement. Today most botnets still use some kind of centralised command and control centre - a single point of failure, such as an IRC server. There’s a window of opportunity to shut them down before new peer-to-peer botnets become commonplace, which won't have any single point of failure.

The next generation is coming. It’s a worrisome trend. I wonder if we’ll start to do anything about it en masse in the coming dozen years, before the first signs of Skynet start to appear.

This article originally appeared in Security Focus.

Copyright © 2006, SecurityFocus

Kelly Martin has been working with networks and security since 1986, and he's editor for SecurityFocus, Symantec's online magazine.

The essential guide to IT transformation

More from The Register

next story
Rupert Murdoch says Google is worse than the NSA
Mr Burns vs. The Chocolate Factory, round three!
Microsoft cries UNINSTALL in the wake of Blue Screens of Death™
Cache crash causes contained choloric calamity
Know what Ferguson city needs right now? It's not Anonymous doxing random people
U-turn on vow to identify killer cop after fingering wrong bloke
Germany 'accidentally' snooped on John Kerry and Hillary Clinton
Dragnet surveillance picks up EVERYTHING, USA, m'kay?
Snowden on NSA's MonsterMind TERROR: It may trigger cyberwar
Plus: Syria's internet going down? That was a US cock-up
Who needs hackers? 'Password1' opens a third of all biz doors
GPU-powered pen test yields more bad news about defences and passwords
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Solving today's distributed Big Data backup challenges
Enable IT efficiency and allow a firm to access and reuse corporate information for competitive advantage, ultimately changing business outcomes.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.