Feeds

Stop the bots

Knock 'em off, but do it the right way

SANS - Survey on application security programs

There are clear legal and ethical issues involved in disabling botnets, especially when they involve thousands of machines that span dozens of countries with different legal systems. But doing nothing at all to stop them is worse than trying to help. I think too many people get caught up in the legal side of fighting back, however, when the very nature of botnets are a perversion of the internet. Knocking them offline is a good thing, you just have to do it the right way. I wish more people would fight this kind of evil - in their spare time - and try to clean things up. The benefits are reduced spam, fewer phishing scams, perhaps less spyware, fewer stolen identities, and the knowledge that you helped potentially thousands of people against what is now becoming organised crime.

A few smart people are doing this and documenting their efforts (article 1, article 2). Honeypots can be a great way to capture bot software and start to analyse what it does. There are a few cases of public "zombie hunters" and the "return of the web mob" where people are fighting botnets and willing to go public. I applaud their efforts, I just wish more people would join in.

If you have the technical ability to help solve this source of evil that affects millions of people, why would you sit back and just watch?<br/>

Disabling botnets

Disabling botnets is not easy, particularly when one needs to disassemble a Trojan just to figure out how the botnet works. Or sniff the traffic to see what it is doing. It’s beyond the technical ability of many people. Even so, it's still a big step from just logging in to actually disabling a botnet. But there are exceptions.

Some simple botnets exploit known vulnerabilities in web servers to download Perl scripts that cause the server to join an IRC channel and wait for commands. Check your web server logs. Most readers would have the ability to read the logs, find the attack attempt, download the script themselves, and see how it works. While this is a simple (but real) example, a short foray into the underworld by someone with good intentions of shutting a botnet down can be a fascinating experience. If a quick scan reveals that the botnet’s command center is vulnerable to a Teardrop attack or any simple vulnerability, would you not take it down? You definitely should.

With good intentions of fighting a known evil that harms people and the internet, I personally don’t have any ethical issues with people disbanding botnets - provided they don't give further harm to the bots themselves. I think disbanding a botnet is a very good thing to do. They cause so much harm and are used for so many illegal puposes. It’s a little vigilante, but very good for the internet. To do it right, you'd perhaps notify the rightful owners of every one of the computers that had been infected too, else the machines will only be infected by a different botnet. But there are real implications by doing this, too.

Some botnets even have the ability to distribute patches - but it’s used by the botnet operator to retain control, rather then patch and then release the machines that are compromised. And then there are botnets fighting other botnets, a turf war over machines that neither operator owns.

In fairytale land I can imagine someone gaining control of a botnet, distributing a patch to fix the compromised bots, and disbanding the botnet - but even this is wrought with potential harm as well. And one can argue that it’s not his responsibility to fight botnets. Agreed. It’s probably not. It’s really the realm of law enforcement to do this, but let’s be realistic and understand that their limited resources are pretty swamped as it is.

Hello, Skynet

The rise of the botnets may just be the great-grandfather of a Skynet in the distant future. It’s a disturbing trend of evil that is mostly unchecked by all but a few talented people and limited law enforcement. Today most botnets still use some kind of centralised command and control centre - a single point of failure, such as an IRC server. There’s a window of opportunity to shut them down before new peer-to-peer botnets become commonplace, which won't have any single point of failure.

The next generation is coming. It’s a worrisome trend. I wonder if we’ll start to do anything about it en masse in the coming dozen years, before the first signs of Skynet start to appear.

This article originally appeared in Security Focus.

Copyright © 2006, SecurityFocus

Kelly Martin has been working with networks and security since 1986, and he's editor for SecurityFocus, Symantec's online magazine.

Combat fraud and increase customer satisfaction

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.