philosecurity

A friend of mine runs public servers which are regularly attacked by botnets. He writes:

The hardest way to shut down a botnet is to just collect IPs and report it to the provider and the Feds… Sometimes, you just need to get proactive.

Below are some excerpts from our latest discussion. Names have been changed. Reprinted with permission:

w: You asked me what I do sometimes. I mentioned Deconstructing Botnets and the social networks associated with them.

s: Oh yes. I asked how you destroy a botnet, and you said that you social engineer their friends?

w: Yeah, that is one method. They all wanna brag, and take each other out…

s: Like in Batman, when the bad guy just *has* to explain his whole plot before killing the good guy?

w: Yeah, exactly. It’s almost *that* bad… [laughs] What good is a botnet if you can’t show it off to your friends?

A really easy way is to get in good with the network that is hosting the botnet’s IRC command and control (C&C) channel.

s: How do you get to know them? Just hang out?

w: Hang out, share docs, tech, own them, let them own something of yours.. ” Oh man.. you got me good there.. Dude you’re so elite… “

s: Have you had to do this many times?

w: Depends on what you’d consider many… More than I can count on 2 hands? Yes.

s: Really!

w: They’re RUINING MY INTERNETZ SHERRI !!

s: OK, tell me a story of a good one, from the beginning.

w: OK. We’ve had this douchebag that has been bot herding for a long time… like 4 years or longer. We kicked him off the network when we found out what his deal was all about. He got mad upset since we wouldn’t let him chat on his favorite IRC network. He ended up DoS’ing us with like 2gigs for a couple weeks.

I rebuilt the network to keep it up, then started the process of stopping the DoS. The first time he hit us, I just collected IPs and reported it and weathered it…

Then he hit us 2-3 more times, using port 80 or 6667 SYN floods mostly from .ZA and all over. He would hit our DNS A record, which round robins to all the servers.

s: Did you just block those ports? Or was that not possible given your services?

w: Oh, we didn’t even run port 80 services. It was all blocked upstream; the issue was packets per second and line saturation. My ISPs usually null routed all my IPs =( It was enough to take down a border router of Bell Atlantic.

So when I found out his highest bandwidth pushers, I set our domain name to his IPs.

” Oh shit !? why am I DoS’ing myself. !? “

s: Hehehehe

w: After playing games for a while, he disappeared. I did a lot of asking around and Googling… and eventually someone bragged… When he came back last summer, he came back with a couple groups. One was Rapidfire. I know Rapidfire. He talked them into DoS’ing us, and then later Rapidfire’s admins came and apologized and kicked him out of the group… They said they just got a list of IPs and hit it, and then realized later it was us.

s: Huh. He doesn’t like you guys, or he was just being a general dick?

w: He’s a general Internet dick. DoS for hire, phishing, scamming douchebag.

s: Hm.

w: So Rapidfire gave me all his botnet code.

s: Sweet! What did it do?

w: It exploited mostly RedHat Enterprise servers, with weak installations of PHP that would allow ;’s and weak permissions so bots could write and execute in /tmp as Apache.

s: So, once you had the botnet’s code, how did you go from there to shutting it down?

w: Simulate a bot and let it idle for a week or two. Learn what I could about it. Log log analyze… Find out when he sleeps. See what he’s doing with the bots. Catalog all the IPs, and analyze those. See if they’re vulnerable from the outside… Some bots patch systems after they’ve been botted, and some don’t.

s: Did they patch in this case?

w: In this case, he didn’t change the PHP installation or the permissions.

s: How did you finally shut it down?

w: Delete the files, edit the php.ini, kill the processes.

s: You were on the victim box?

w: Who, me? Never. It was his bot. I just executed a command in his C&C to kill it.

s: Like the self-destruct button on spaceships?

w: [laughs] I knew the C&C channel name and key from the code. After a while, I figured out how to use his bots and get them to execute a script, such as find X files, find processes, change Y line in php.ini, kill processes or restart apache.

I’d just use his bot to execute what I needed to clean house and shut it down. Then I’d report the box to the provider.

s: Nice.