What did he have to lose? The researcher had already penetrated his botnet, and if he was hidden behind an "anonymous proxy chain" then his identity wasn't at risk, non?
Everything he revealed could be used as evidence at his trial, if he was ever caught. Plus, much of what he revealed will be used to make the systems the botmaster tries to hack into more secure. At the very least, he's just making his own life harder, and possibly more dangerous, if some of what he said could be used to track him down.
He gave out a lot of information. If I was in this scene, I would certainly say: too much information. WAY too much information.
The researcher now knows a forum which contains up-to-date exploits of this scene, transactions of this scene. That is a boatload of knowledge, especially if one finds currently unknown exploits in there, or starts tracking the money by the transactions made on this forum.
Furthermore, the botmaster gave out a lot of information about his illegal activities, so he pretty surely was very, very confident (I'd go as far as calling this overconfident) about his security.
Sorry, but coming from this, this guy does not look like a real serious botmaster to me. I mean, if you make lots of money with bots, why whould you give out information about your exploits and your trades, making it easy for the government and security firms to stop you? That's just dumb.
I don't know how often this is still true, but it used to be that they would lurk in an irc channel and the botherder would post commands in the channel. Anybody could figure out what was going on by lurking there as well.
Yep, but it's a lot of work. There at least a few researchers that keep track of bot activity, reverse samples, monitor via wire-compatible clients, etc. From what I gather it's getting harder, some newer worms use decentralized control channels, signed updates, etc.
Solid set of info there. Anyone know or have a guess as to the forum the botmaster linked to? Email's in profile if you don't feel like posting it for the public.
The name of the bot is fatalzircd according to the guy and they didnt censor that so its not all lost. After googling that name I found several forums and easily found one with a source code download.
this is a good article. it's pretty clear that, if you had the know-how to write your own botnet software, you could really clean up. you could design your own communication protocol, rather than using irc the way everybody else does, which would help evade detection. windows users are lucky that anybody capable of such a thing probably already has a much more satisfying "real" job.
too bad the article devolved into an ad for cisco products at the very end. i was really digging it up to that point.
Skype wouldn't work, but all you need is a 12kps stream. The problem with tor is sometimes the nodes are very slow, you could probably pick a path that showed to be faster but as far as I know it's non trivial.
He mentioned old school and then quoted 2005, i dont know if its just me but the idea of a botnet is certainly nothing new, and definately spawned from IRC.. FWIW you could date the article 1999 and throw in mentions of wingates a couple of times and sprinkle on some SOCKS proxy information for flavor and i'd know no different.
21 comments
[ 1.7 ms ] story [ 44.6 ms ] threadin his position, i certainly wouldn't have talked. but it's probably a lonely occupation, and who else are you going to talk to.
The researcher now knows a forum which contains up-to-date exploits of this scene, transactions of this scene. That is a boatload of knowledge, especially if one finds currently unknown exploits in there, or starts tracking the money by the transactions made on this forum.
Furthermore, the botmaster gave out a lot of information about his illegal activities, so he pretty surely was very, very confident (I'd go as far as calling this overconfident) about his security.
Sorry, but coming from this, this guy does not look like a real serious botmaster to me. I mean, if you make lots of money with bots, why whould you give out information about your exploits and your trades, making it easy for the government and security firms to stop you? That's just dumb.
One way to observe worm behavior: http://www.honeynet.org/
SRI writeup on their dissection of Storm: http://www.cyber-ta.org/pubs/StormWorm/report/
too bad the article devolved into an ad for cisco products at the very end. i was really digging it up to that point.
I got to write half of it in Scheme, which probably means that I deployed more Scheme runtime than anybody else on the planet.