Botnet Backtrace

Phractal

Ok guys, just a *hypothetical*
Say one of my honeypots gets infected with a botnet client and I disassemble it, and trace it back to its C&C.

Say it looks like a skid net and I KNOW its vulnerable to SQLi...

And it is on a 'bulletproof' host that no respond to abuse emails.

What is the ethics regarding going derper and using the 'Uninstall' feature to clean the bots?

I mean its a simple auth_bypass vuln in fork()ing Warbot for chrissake, well known vuln in the CP...

Also what about hijacking IRC channels to uninstall IRC botnets? i.e. clean the victims?

It is a trivial thing to do and my honeypot keeps getting new bots in it... It is a malware zoo!

Also, if you got spyeye...

Look in the C:\ drive
if there is folder called 'cleansweep.exe' you are infected.

The file in it HAS microsoft certificates and looks legit, but its actually the malwares.

Delete it.

Viola - system clean.

++++++

IDEA!

I can actually set up a site with a bunch of control panels on it for different botnets, and let you guys have a crack at them to find a way in.

I know ZeuS has vulns, as does WarBot. And Elenore Exploit Pac has MANY vulns.

I have a large collection of the things in my 'to analyse' list... So lets go bug hunting

JimmyCrackCorn

That would be an ethical issue and a legal minefield. If you google you'll find discussions dating back 10 years on this issue with viruses to disinfect viruses.


The best you could do without getting into trouble is hand off your discovery to a law enforcement agency and let them dismantle the C&C infrastructure.

If you look at the history of Zeus some of those vulnerabilities were deliberate.

No to mention researchers often find themselves on the receiving end of DDOS attacks for poking at C&C infrastructure.

Procasinator

It's probably a pointless exercise.

While you might mess things up for a couple script kiddies, you also run the risk of pissing the wrong person off. You would want to be confident that your tracks are covered.

Cleaning up zombies might seem like a good idea, but there is always the risk of messing them up or, being on the wrong side of the law even doing something which may seem right.

Finding vulnerabilities in the control panels would be interesting from a hobby point of view, but getting any utility beyond that is unlikely (due to aforementioned risks).

I would say the the most utility you could get is if you are also a bot herder, as you could hijack these toolkit botnets (even unbeknownst the current herder). Of course, you obviously don't want to that as you wouldn't be here asking about the ethics. :pac:

Procasinator

Looks like the FBI might be doing some of the (hypothetical) work for ya:
http://www.bbc.co.uk/news/technology-13078297

Phractal

It was the FBI thing (and the fact I just found at the time of posting, a Warbot CP with 500 bots!) that got me interested.

Someone hozed the CP anyways and uninstalled the bots, no idea who, cos it aint there now :P

I figure, fork() em. As for the DDoS, I get them the odd time when playing XBL. Skiddies latest trick is to use Cain to get IP's of other players or something, then use a 'host booter' to launch distributed denial of service attacks on players who pwn em too hard.

Hell, those asshats even sell access to theirt 'Booters'.

Not to mention some of em are damn creepy. I have a vendetta against some skiddie who 'jacked my webcam. If it was not for the light and a bit of thinking, it could have gotten awful wierd...