Seminal Event in Takedownville? Not today. Not yet. Gamechanger #5 Botkills

March 12, 2010


A Russian, a Spaniard, and a Bulgarian walk into a bar……

So much press ado is being bandied about relating the recent botnet Takedowns.  Consider these efforts baby steps if you will.

Microsoft Waldec Takedown – P2P baby, will rear its ugly head again.  This is Storm RBN, out the bastards already.  Do you need me to show you where it is on GoogleMAPS?  Saint Petersburg.

Mariposa BotnetTechnical details … Spanish Amateurs?  – NO JAIL TIME, weak laws, SPANISH SAID so. They got out of jail and went back to recovering the dam thing and the got rearrested!  Cyber Comedy ensues. 13 Million? psh. please, more like 700k.  useful only for FBI PR and Panda marketing.  NOTE: If your going to take the time to null route sinkhole a botnet, and you have reversed their command and control, at least give the goddam courtesy of hitting the kill switch on the way out.  For those that are not familiar, for some reason tons and tons of malware implements a KILL BOT command.  Simply deletes the bot.  If the botnet is properly reversed you should have a 99.99% successful chance of elminating the bots in the entire network with a single command.  that means Full massive remediation.   For the bots that are not online yet, as soon as they get online, they beacon, get the updated command and erase themselves as well.    —– OR how about this.  Every bot has a UPDATE command.  It needs to download a new copy, kill its process and restart with the new version.  Send it NOTEPAD via the update.  Voila! done.   —- OR how about this.  Send it a new version with a corrupted PE header.  Totally inoperable.  OR send it an encrypted copy of itself.  No key to unencrypt, no function.  OR just corrupt the key with a binary patch.  There are countless ways.  Afraid of the DOOOMSDAY Scenario thats always bandied about?  DENIAL of servicing a hospital thus causing a killing of senior citizens hooked up to Windows 98?  – First HIGHLY HIGHLY unlikely if you reverse the code write, second just go unattrib.  That’s the beauty of the Internet.

MARIPOSA Analysis

The point is that researcher have better ways of getting right to the point and actually doing something about botnets.  Not sitting back and allowing a notification and remediation nightmare while they reap the press glory of a Depeering event (uneffective) or a coordinated DNS domain suspension/sinkholing.

Zeus DePeering – So some mysterioso took down like 20 percent of the numerous implementations of Zeus out there now.  Due to shear badassness and open sourcing we will see this for a LONG time to come.  STEALIN MILLIONS from middle america businesses and organizations via ACH fraud.  These victims dont have a clue until its to late.  Time for legislation to put the entire financial responsiblity on banks.  THen things will change.  – the thing with Zeus is that the depeered ISP / ASN reconnected to the Internet in muther loving Russia. it has already reconsituted around 50 of the C&Cs it lost.  Guys. the Zeus tracker lists them all right there.  Start with every one in the US and smash them out of existence.  Prove you have what it takes to cooridinate law enforcement internationally and do the same with the others.  Consider it  a case study in international cyber enforcement.  BTW Zeus has a KOS command that destroys systems.  Its already been used a few times.  Another actor that does not like you can wage an attack on you by infiltrating and wiping all your compromised systems.  This can be done in a targeted fashion based on Country code or other groupings due to have these advanced bots can segregate their hosts.  Dont you love GeoIP dbs?

Knebner discovery by Netwitness.  Call it what it was. Zeus.  75GB of exfilled data on a server  Not too shabby of a find.  Idiots left an open directory.  What kind of doomkoff leaves 75GB of purloined data on a box.  If your gonna do it, do it right and take that shit off daily.  BTW Zeus goes way way back to the WSNPOEM days.  and it was just as effect stealing stuff then.  Look for the new hotness with Clampi/IIlomo and Bebloh/URLzone.  Memory scrapeing. nuff said.

So what is all this rambling on about?  I am waiting for the first bot to self remediate.  That would be a Game Changer serving as a seminal event. 

– then of course they would move toward Public/Private key based command integrity methods but thats a Case for Malware Evolution!.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: