Fireeye is badass

December 16, 2008

This group FireEye is deep in the trenches attempting to detect and destroy botnets.  They have excellent intel and perform some great analysis.  My only beef is that they had around 450k of Srizbi bots tied up by awesomely preregistering its fallback domains in conjunction with getting the main RBN-like-in-the-US host provider McColo and then let them go and now the botnet controllers updated their C&C to servers outside the US (it was predictable).  McColo’s operations are tracked by many but here is a good writeup on them.

In my opinon the fact that this host provider hosted 80 percent of the C&C’s of the most prolific spam operations in the world which accounts for 90%+ of traffic, this was a major fuck up for law enforcement and Intelligence.  At least from the open source reporting side.  I only hope that enough intel was gathered prior to the pressure that security researchers placed on McColo’s internet peering providers that resulted in them getting pulled off line.  These guys where freaking based in SanDiego.  I would expect with the link to child porn, ID theft and the shear amount of bad activities that all their servers and It equipment would be currently Boxed up by the Men in Black for forensics and a sturdy baton curtesies once they get ahold of the owners.  Once again,  we have not gotten to this level yet in our responses nationally so people will continue to suffer.  Already traffic is back to its previous pretakedown levels as predicted. 

SO I will say this again.  MAJOR OPPORTUNITY LOSS<> MAJOR FUCKUP.  try again next time.  I told this to an FBI agent with the cybercrime squad from the Washington Field Office and he gave me a predictable line about “blah blah, how sometimes you dont want to take people down (inferred intelligence reasons)”  But guys Come on this what is called a Center of Gravity in military terms and you had the opportunity to drop a 2000 lb bomb and you let them fly out of jurisdiction like a fart in the wind.  This will be the last iteration before malware bots go full up P2P resilient with robust fallback mechanisms and harder to trace operations.  This will make things 10 x harder. 

Course with the piss ant sentences a botnet controller would get these days it really doesnt matter if they get caught or not. 

Great but misguided efforts by the security community.

Maybe someday Security researchers will have the balls to infiltrate and neuter or destroy these bots in place.  It has not become a main stream security response practice yet but hopefully it will.  Everybody is scared of the gaddamn lawyers but I say fuck  it.  Get a Unattributeable network in place and run a BlackOps operation.  Corrupt the Bots PE header, kill the process so as to keep it from running and move upon your merry way. 


Post a little message saying Yer ass has just been saved.

They also have Excellent analysis on other beasts such as Rustock, Pushdo / Cutwail, and the Kraken all of which employ tons of anti-analysis and rootkit capabilities.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: