21 comments

[ 1.7 ms ] story [ 44.6 ms ] thread
A masterful bit of deception. Who would have guessed that a botmaster would be so trusting?
What did he have to lose? The researcher had already penetrated his botnet, and if he was hidden behind an "anonymous proxy chain" then his identity wasn't at risk, non?
he had a lot to lose. the "reporter" could have been collecting subtle details, and trying to match them up with known real-world suspects.

in his position, i certainly wouldn't have talked. but it's probably a lonely occupation, and who else are you going to talk to.

Everything he revealed could be used as evidence at his trial, if he was ever caught. Plus, much of what he revealed will be used to make the systems the botmaster tries to hack into more secure. At the very least, he's just making his own life harder, and possibly more dangerous, if some of what he said could be used to track him down.
He gave out a lot of information. If I was in this scene, I would certainly say: too much information. WAY too much information.

The researcher now knows a forum which contains up-to-date exploits of this scene, transactions of this scene. That is a boatload of knowledge, especially if one finds currently unknown exploits in there, or starts tracking the money by the transactions made on this forum.

Furthermore, the botmaster gave out a lot of information about his illegal activities, so he pretty surely was very, very confident (I'd go as far as calling this overconfident) about his security.

Sorry, but coming from this, this guy does not look like a real serious botmaster to me. I mean, if you make lots of money with bots, why whould you give out information about your exploits and your trades, making it easy for the government and security firms to stop you? That's just dumb.

I'd be interested in seeing the code. I've always wanted to see what that side of the wall does.
Is it possible to monitor bot nets to figure out what they are doing?
I remember steve gibson reverse engineered the protocol for a bot and figured out what it did.
I don't know how often this is still true, but it used to be that they would lurk in an irc channel and the botherder would post commands in the channel. Anybody could figure out what was going on by lurking there as well.
Yep, but it's a lot of work. There at least a few researchers that keep track of bot activity, reverse samples, monitor via wire-compatible clients, etc. From what I gather it's getting harder, some newer worms use decentralized control channels, signed updates, etc.

One way to observe worm behavior: http://www.honeynet.org/

SRI writeup on their dissection of Storm: http://www.cyber-ta.org/pubs/StormWorm/report/

Solid set of info there. Anyone know or have a guess as to the forum the botmaster linked to? Email's in profile if you don't feel like posting it for the public.
The name of the bot is fatalzircd according to the guy and they didnt censor that so its not all lost. After googling that name I found several forums and easily found one with a source code download.
this is a good article. it's pretty clear that, if you had the know-how to write your own botnet software, you could really clean up. you could design your own communication protocol, rather than using irc the way everybody else does, which would help evade detection. windows users are lucky that anybody capable of such a thing probably already has a much more satisfying "real" job.

too bad the article devolved into an ad for cisco products at the very end. i was really digging it up to that point.

Seconded. I liked it save for the Cisco advertising as well.
Interesting article, but the lack of subtlety in some parts made me cringe, e.g: "wanta be partners?".

  the researcher suggested a TOR audio conference
Audio over TOR? I thought it was too slow for that.
Skype wouldn't work, but all you need is a 12kps stream. The problem with tor is sometimes the nodes are very slow, you could probably pick a path that showed to be faster but as far as I know it's non trivial.
May work. Tor is not really that slow. It just has a lot of latency.
He mentioned old school and then quoted 2005, i dont know if its just me but the idea of a botnet is certainly nothing new, and definately spawned from IRC.. FWIW you could date the article 1999 and throw in mentions of wingates a couple of times and sprinkle on some SOCKS proxy information for flavor and i'd know no different.