Cybercrime's bulletproof hosting exposed Researchers at RSA have identified the network framework that endows some of the worlds most notorious botnets with always-on connections that are virtually immune from takedowns. At the network's heart are the servers that shepherd tens of thousands of infected PCs so they continue to send spam, spread malware and stay …
1. You can't fight a crime with another crime. It's illegal to infect somebody's PC, for whatever reason, even if you have good intentions
2. AV companies that could do this if it was legal (which it is not) would not benefit from this. Their goal as a company is to make money, to pay salaries and dividends to share holders. They have to bring money home to their families. Nobody can afford to work for free.
this actually is a very very dangerous game to after these people .I can imagine when they get too close the top people behind these bot networks are surely going to lash out and figure that if they take down the "hunters" they can survive ,and in that case they will go after them personally.
The trouble with the internet is that the original design was intended to stay up when all else failed.
The only way to catch these fellows is to find the next ISPs or whatever they are going to turn to when the next lot get taken out.
Just make sure each provider is looking out for a major surge of multiple desktop activity or whatever its called. Of course that would require the IT bods are awake and not distracted.
So that means the crims will be looking at understaffed quasi government organisations like schools and hospitals.
I remember a meeting in 2003 in which a US gov agent told us that as far as viruses were concerned, the quality had gone down while the quantity had gone up. For some reason, I just now realize why this happened. Creating these botnets is a much more profitable business than a "traditional" virus write & sell operation. While it may seem obvious now, at the time I wondered where all the skill had gone. Each day the tubes become a more corrupt place.
As far as I can tell all of there's just one /23 route being addresses by one of those listed AS numbers, the rest have had some /22 and /24 routes withdrawn over the last week, but other than that, nothing.
Could be that http://www.cidr-report.org isn't terribly reliable, but it seems like there's nothing actually going on with these networks.
Ever since I first followed some malware into a rabbit hole in IRC and learned how it was working, I expected nameless groups to use those command and control channels to force cleaners to be installed and run on the target zombies. It's been years and I still haven't seen that happen. I have to wonder why. I've seen bad guys battle each other over control channel usage but no good guys.
Meh, maybe I'm just not seeing it but it is happening. I certainly wouldn't publicize it.
I actually got to speak with one of the white hats, and they did mull over the whole, 'take over botnet, make it clean itself' idea. The problem is, as tempting as it is, removing a bot, even if it means a simple restart, puts them in the crosshairs of any lawsuit if things go wrong (And knowing how even tested patches can go haywire, they WILL go wrong). This was made even worse by the fact that some of the botnet zombies were hospital computers or other important systems. The only thing they could really legally do was to try to contact the already negligent companies, and hope they fix things.
So where are the vigilantes? Well, they're gritting their teeth, smart enough to realize that the botnets are holding hostages.
A game of "Whack-a-mole". Hit it on the head, and it pops up somewhere else. Need everyone to get their hammer and strike at once. Maybe some day, we can hope!
Now if someone gets control of the botnet and sends out a self destruct code, that would be really nice. Given the allowable methods of fighting botnets, this might not be to ethical (but it needs to be done!).
A lot of these command-and-control networks have their own private network of IRC servers established where the bots themselves join the network.
IRC has long been known for its ability to self-heal if enough cross-server links are established. Using the infrastructure IRC provides is cheap and easy.
If you've the confidence to actually tackle the problem yourself rather than saying "not my problem/nothing I can do about it ", then any decent RootKit detector,knowledge of the Command Prompt and it's instructions, and a list of the files created by Zbot,Kollah, Pakes, PWSZbot, Banker, or Wsnpoem or any other name that Zeus goes by, can be manually removed. Helps too, if you're not afraid to modify the Registry manually as well.
There is a plethora of information/analysis on this Bot freely available on the Web,and a plethora of commentards who claim to be Computer literate, take some active participation in the removal of the problem, and find something else to cry about.
If you're not part of the solution.................................how the f+++ does that quote finish?
Actually taking these things down and keeping them down isn't impossible, the problem is the people with the skills and resources to do it (AV etc) are exactly the people who can't use the techniques required due to the legal position.
Blackholing etc is only ever a temporary measure - as soon as the CC chans are up again the bots will come home to roost. Modyfying the ring-0 code to bluescreen on bootup will force all infected machines to have a clean install, and will only deliver the payload on boot up, so won't damage running boxes. It's still very illegal however and not an option for the people in a position to do it.
There is one *possible* option however - do the above to zombies in foreign lands with no extradition treaties, and where you don't have any plans to work/holiday/transit through. It's still risky, and I don;t see AV co's etc doing it (and I don't blame them either) but using the same weaknesses in the law to take down the botnets that the botherders use to run them has a certain irony to it.
I guess we can but dream...
Because if they don't that idea won't work.
I believe it would be the safest way to cripple a botnet.
But here's a legal question. By *issuing* that command can it be said the whitehats have *legally* tampered with these machines.
Thumbs down because it still sucks that the herders net is more reliable than their victims.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
