RE: Botnets and tracking and busting scriptkiddies

["Dominique Davis" <DDavis () pivx com>]

I think it was a great paper and very informative on the basics .I have
had some experience with tracking down bot-nets and have found some
techniques and methods that are very usefull when it comes to shutting
down a bot net and tracking offenders.

On a few occasions I have used the following tracking and stalking
methods 
To hunt the script kiddie in its natural habitat.Keep in mind these are
very basic but usefull.
 



Detection 
The second you notice network traffic that is over irc ranges of ports 
6000-7000 or suspect a bot  .A sniffer is your friend Ethereal is a good
choice to use to obtain the address of the destination hacked server as
well as channel passes ,While normaly I would recommend dissaembly of
the infected file /bot More and more bot authors are using things like
morphine and custom cooked up encryption schemes /packers to keep their
bots from being taken apart thus keeping you from the juicy hardcoded
passwords and channel keys within .

So 9 times out of 10 the best way to capture the ip-address of the
master server and the channel names and passwords is via sniffer .Now
once you have the ip address of the master server (the irc server all
the bots are reporting to) the best thing to do is do an arin 
http://www.arin.net

lookup and see who owns it most of the time you will find it is a third
party who has also been hacked and has no idea why their server is
running so slow. Immediately contacting abuse for their net provider is
a must.

After and only after contacting the proper authorities and the company
that actually owns the machine being used as a master controller. If you
have the permission of the second victim company to gain access to their
server to help with tracking the offender you best bet for gathering
intel is to impersonate one of the bots in question!!!! 

To do this you will need the following 
1.a good irc client 
http://www.mirc.com  
make sure to turn logging and time stamping for both channels and
private conversations 

2.The server ip nick the bot is using when it logs in 
As well as the channel key and channel name 
These can be obtained by sniffing out going traffic 


Now here comes the fun part 

Power off the bot_infected machine and assume its ip address
Do a /server victim ip server 
Now Pay attention to the messege of the day 
make sure your nick is set to that of the bot 

This will give you the irc server version 
How many users ,how long its been up (i.e how long has this machine been
owned) What commands it supports ,and most importantly whether or not it
masks ip addresses In the case of masked ip addresses i.e some versions
of unreal ircd there are crackers and ways around this 

Now simply do a /join #badguyschan key 
The first thing you want here is the topic which will tell you what the
Handel of the attacker is and what date he set up this bot net 
If he is in channel do a /uwho and a /dns to get his ip to hand over to
the victim companies and or the feds  for a quick crucifiction ,

If said bad guy is not there do a /list to see other channs 
To join also putting him on /notify is a good idea 
Other useful ideas are a /whowas 

However if you get something like a masked ip which will look like
badguy@43534tnefgnei4t garbage string here you have 3 options 

Leave it to the sys admins to look through their logs for connections to
that port range at that time or

Look for an an exploit that allows you to unmask the ip`s 
Unreal ircd has been known to have a few of these, or try a little
legwork 
join several of the larger irc servers like efnet,dalnet,undernet etc in

Separate instances of mirc witrh the bad guys nick on notify and keep
doing /whowas for his and variations of the bot nicks
With his nick notify for all of em from here its just a matter of
waiting for his login to dalnet or efnet which don't have ip masking to
coincide with his login to the infected system then get do a /dns on the
other network and viola you got em.

However if there is no ip masking on the victim machines irc server 
You just do a /who badguy  and then a /who *bootnamevaraint because 
Bots usually end up sequentially numbered after their initial name 
Ie flooder12234 flooder 122345 and so on and not only have you caught
the script kiddies in question but you also now have the ip`s of all the
folks who are infected as well to help the proper authorities clean up
the mess
 
  

Dominique Davis aka Mister Mojo 
PivX Solutions, Inc.


Qwik Fix Pro is now available for purchase:
http://www.pivx.com/qwikfixPurchase/

-----Original Message-----
From: full-disclosure-bounces () lists grok org uk
[mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of phased
Sent: Monday, March 14, 2005 9:22 AM
To: full-disclosure () lists grok org uk
Subject: Re: [Full-disclosure] Re: Know Your Enemy: Tracking
Botnets(ThorstenHolz)


no they didnt, shit paper, nothing new, absolute crap just publicity
bollocks

-----Original Message-----
From: David Jungerson <david-jungerson () web de>
To: full-disclosure () lists grok org uk
Date: Mon, 14 Mar 2005 16:26:39 +0100
Subject: [Full-disclosure] Re: Know Your Enemy: Tracking Botnets
(ThorstenHolz)

> You guys did a tremendous job!
>
> (Go away, trolls!)
>
>     David Jungerson
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://www.secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/