Security Incidents mailing list archives
Re: Disassembling botnets
From: Felikz <securityfocus () felikz net>
Date: Wed, 06 Apr 2005 20:00:54 +0100
If you are, or the attack is coming from or via the UK, then the NHTCU would be a place to start.
http://www.nhtcu.org/ P.B. Wagenaar wrote:
Hi Commander Z! Well it isn't your job to disable the botnet and close down irc servers. All you can do is inform the ISP and report this all to the police. You are right if you say that all this won't do you any good. If you want to see some 'action', you should start a civil case against the ISP hosting the IRC network. It might sound wrong, but this will wake the ISP up and they will take the matter very seriously. Ofcourse you don't want to make the ISP pay for what some hacker did, but this might make them go after the hacker behind the botnet. Send them a bill for your damages and wait for their response. Philip Wagenaar -----Oorspronkelijk bericht-----Van: Z [mailto:commander_uk () yahoo com] Verzonden: woensdag 6 april 2005 2:17Aan: incidents () securityfocus com Onderwerp: Disassembling botnets Hello all, As a recent victim of a sustained DDoS attack I decided to investigate a little further into the attack source. One of the compromised machines that was attacking was serving files on a modified FTP server sitting on a random port. I downloaded the file, a packed/crypted .exe file (NAV didn't find anything) that is obviously a DDoS agent. Running in a simulated environment, I found the DNS name of the IRC server it connects to, which at present resolves to an obviously compromised machine on a residential ISP. I joined the IRC server using techniques described in http://www.honeynet.org/papers/bots/ and found to my dismay around 2,000 other compromised users on an obvious botnet IRC server. Now, what are my next steps? Obviously if I complain to the ISP hosting the IRC server they will just update the DNS name and move the operation elsewhere. The domain appears to use managed DNS hosting (ie no 3rd party nameservers as best as I can tell), so would the registrar even consider taking it down based on one report of a single A record pointing to a DDoS net? I really want to have those responsible brought to justice, but based on my complaints to previous ISPs of the largest attackers on the DDoS net, I'm afraid all I'll get is a canned "We have informed the customer" or similar response. It seems I'll only get one chance at this before they take off to another box. I'd really like to get some kind of law enforcement involved, but don't know where to start: Me and my server are in different countries and this essentially a personal attack on me - no businesses are involved. Any thoughts or advice would be appreciated. Thanks.Send instant messages to your online friends http://uk.messenger.yahoo.com-------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
-------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------
Current thread:
- Disassembling botnets Z (Apr 06)
- RE: Disassembling botnets P.B. Wagenaar (Apr 06)
- Re: Disassembling botnets Felikz (Apr 06)
- <Possible follow-ups>
- Re: Disassembling botnets Harlan Carvey (Apr 06)
- Re: Disassembling botnets Jeff Bryner (Apr 06)
- RE: Disassembling botnets P.B. Wagenaar (Apr 06)