Stop the bots

Knock 'em off, but do it the right way

The Essential Guide to IT Transformation

There are clear legal and ethical issues involved in disabling botnets, especially when they involve thousands of machines that span dozens of countries with different legal systems. But doing nothing at all to stop them is worse than trying to help. I think too many people get caught up in the legal side of fighting back, however, when the very nature of botnets are a perversion of the internet. Knocking them offline is a good thing, you just have to do it the right way. I wish more people would fight this kind of evil - in their spare time - and try to clean things up. The benefits are reduced spam, fewer phishing scams, perhaps less spyware, fewer stolen identities, and the knowledge that you helped potentially thousands of people against what is now becoming organised crime.

A few smart people are doing this and documenting their efforts (article 1, article 2). Honeypots can be a great way to capture bot software and start to analyse what it does. There are a few cases of public "zombie hunters" and the "return of the web mob" where people are fighting botnets and willing to go public. I applaud their efforts, I just wish more people would join in.

If you have the technical ability to help solve this source of evil that affects millions of people, why would you sit back and just watch?<br/>

Disabling botnets

Disabling botnets is not easy, particularly when one needs to disassemble a Trojan just to figure out how the botnet works. Or sniff the traffic to see what it is doing. It’s beyond the technical ability of many people. Even so, it's still a big step from just logging in to actually disabling a botnet. But there are exceptions.

Some simple botnets exploit known vulnerabilities in web servers to download Perl scripts that cause the server to join an IRC channel and wait for commands. Check your web server logs. Most readers would have the ability to read the logs, find the attack attempt, download the script themselves, and see how it works. While this is a simple (but real) example, a short foray into the underworld by someone with good intentions of shutting a botnet down can be a fascinating experience. If a quick scan reveals that the botnet’s command center is vulnerable to a Teardrop attack or any simple vulnerability, would you not take it down? You definitely should.

With good intentions of fighting a known evil that harms people and the internet, I personally don’t have any ethical issues with people disbanding botnets - provided they don't give further harm to the bots themselves. I think disbanding a botnet is a very good thing to do. They cause so much harm and are used for so many illegal puposes. It’s a little vigilante, but very good for the internet. To do it right, you'd perhaps notify the rightful owners of every one of the computers that had been infected too, else the machines will only be infected by a different botnet. But there are real implications by doing this, too.

Some botnets even have the ability to distribute patches - but it’s used by the botnet operator to retain control, rather then patch and then release the machines that are compromised. And then there are botnets fighting other botnets, a turf war over machines that neither operator owns.

In fairytale land I can imagine someone gaining control of a botnet, distributing a patch to fix the compromised bots, and disbanding the botnet - but even this is wrought with potential harm as well. And one can argue that it’s not his responsibility to fight botnets. Agreed. It’s probably not. It’s really the realm of law enforcement to do this, but let’s be realistic and understand that their limited resources are pretty swamped as it is.

Hello, Skynet

The rise of the botnets may just be the great-grandfather of a Skynet in the distant future. It’s a disturbing trend of evil that is mostly unchecked by all but a few talented people and limited law enforcement. Today most botnets still use some kind of centralised command and control centre - a single point of failure, such as an IRC server. There’s a window of opportunity to shut them down before new peer-to-peer botnets become commonplace, which won't have any single point of failure.

The next generation is coming. It’s a worrisome trend. I wonder if we’ll start to do anything about it en masse in the coming dozen years, before the first signs of Skynet start to appear.

This article originally appeared in Security Focus.

Copyright © 2006, SecurityFocus

Kelly Martin has been working with networks and security since 1986, and he's editor for SecurityFocus, Symantec's online magazine.

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story


Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.