|
|
In Focus
What If You
Could Take Down a Botnet?
by Mark Joseph Edwards, News Editor
Last week, Cody Pierce and Pedram Amini (members of
TippingPoint's security research group) released a detailed analysis of
the Kraken botnet. The purpose of the analysis was to see whether the
bot network could be infiltrated.
In order to test that possibility, Pierce and Amini had to take a very
close look at the inner workings of the botnet code. With a sample in
hand, they disassembled the code and dove into its inner workings to
find an inroad into the botnet. The idea wasn't to become a bot in the
network but to become a command and control server for the actual
bots.
Amini explained, "The key to overtaking the botnet is understanding how
the overall client-server architecture works. Kraken infected systems
attempt to 'phone home' to a master command and control server by
systematically generating sub-domains from various dynamic DNS resolver
services such as dyndns.com. By reverse engineering the list of names
and successfully registering some of the sub-domains Kraken is looking
for, we can emulate a server and begin to infiltrate the network zombie
by zombie. Stated simply, Kraken infected systems world wide start to
connect to a server we control."
After reverse-engineering the bot, which of course included its
encryption algorithm, Pierce and Amini were successful with their
infiltration. After one week of running their rogue command and control
server, they discovered that about 25,000 systems were infected with the
Kraken bot. That is to say, about 25,000 unique computers connected to
their rogue command and control server.
Apparently there's some debate about how big the Kraken botnet really
is. The estimates range from roughly 185,000 bots to as many as 650,000
bots. Pierce and Amini said that since they were able to communicate
with 25,000 bots, they effectively had control over anywhere from 4 to
14 percent of the entire botnet.
Then came the question of what to do with such control: sit back and
watch, or on the other hand, possibly take action to remove the bot
software from infected systems. That's an interesting question with no
easy answer, although cleaning up the infected systems is very tempting.
First, there are issues that center around legalities. For example, is
it legal to remove malware from people's systems without their
permission? I'd guess that it's not. Even so, would authorities or
individuals seek to press charges if unauthorized removal took place?
Then there are issues that center around potential damage to an infected
system. Pierce and Amini point out that Dave Endler, who also works at
TippingPoint, is against removal for these relatively solid reasons:
What if a computer is damaged or crashes in the process of removal? And
what if such a computer were in some way partially responsible for
someone's life, as might be the case if a computer were located in a
hospital, clinic, or doctor's office?
Clearly the only safe way to handle this kind of dilemma is to gather
the IP addresses of infected computers, find out which companies manage
those IP addresses, and contact those companies to let them know about
the infected systems. Hopefully those companies would take steps to
clean up the botnets and help the end users of those addresses get some
adequate protection installed on their systems.
Of course, because cleaning up the infected systems through the use of a
command and control server is incredibly tempting, there are those who
would take such action regardless of the risks involved.
If you're interested in the details of the analysis or in sharing your
perspective on how you think such an issue should be handled, head over
to TippingPoint's Digital Vaccine Labs blog at the URL below. There
you'll find detailed technical explanations of the analysis (including
disassembled code snippets), links to related information regarding
Kraken, and plenty of comments from readers who've commented on how they
think the moral issue should be handled.
dvlabs.tippingpoint.com/blog/2008/04/28/kraken-botnet-infiltration
Security
Horror Story Contest
Tell us about a security hole that you found, a virus
that shut down your network, an embarrassing or scary near-miss or
direct hit. (Be sure to describe how you solved the problem too.)
We’ll print the best tales in a Windows IT Pro cover story
(anonymously, if you like), and you’ll win a 1-year Windows IT Pro VIP
subscription. Send your security horror stories (no more than 500 words)
to lpeters@windowsitpro.com by
May 9.
Security News and Features
Malware Authors Turn to AV Companies to Defend
Copyrights
Malware authors don't stand a chance of enforcing any
type of copyright on their malicious code--or do they? Some malware
authors are threatening to send copies of code that violates their
"copyright" to antivirus companies.
To view the rest of this article, click here
Microsoft Hosts LE Tech 2008
Training
Microsoft is hosting Law Enforcement Technology (LE
Tech) 2008 to help train law enforcement agency personnel in the ways of
tracking down and convicting criminals by using digital evidence.
To view the rest of this article, click here
Abraxas Buys Anonymizer
The industry's oldest Web anonymization service has been
acquired by Abraxas, who intends to add the service to its risk
mitigation technology offerings.
To view the rest of this article, click here
Recent
Security Vulnerabilities
If you subscribe to this newsletter, you also receive
Security Alerts, which inform you about recently discovered security
vulnerabilities. You can also find information about these discoveries
at
www.windowsitpro.com/departments/departmentid/752/752.html
Give and Take
SECURITY MATTERS
BLOG: New Tricks for SQL Injection Attacks
by Mark Joseph Edwards
You might think procedures that don't accept user input
are immune from SQL injection attacks. But that's not always the case.
Learn why in this blog entry.
windowsitpro.com/blog/index.cfm?action=BlogIndex&DepartmentID=949
FAQ:
PowerShell Lists Machine Services
by John Savill
Q. How can I use Windows PowerShell to return a list of
machine services in a designated state?
Find the answer at
windowsitpro.com/article/articleid/98944
Vote in the
2008 Windows IT Pro Community Choice Awards!
Final voting for the Windows IT Pro Community Choice
Awards is now open! Voting in this awards program is open to all Windows
IT Pro Web site visitors, but vendors whose products are nominated are
prohibited from voting. Enter the voting tool at:
www.surveymonkey.com/s.aspx?sm=_2fz97tv4rU5iY2IsYDbyCRg_3d_3d)
Voting closes May 23 at 11:45 p.m. Mountain Time.
SHARE YOUR
SECURITY TIPS AND GET $100
Share your security-related tips, comments, or problems
and solutions in Security Pro VIP's Reader to Reader column. Email your
contributions to r2r@securityprovip.com. If we
print your submission, you'll get $100. We edit submissions for style,
grammar, and length.
Products
New Hosted Email
Service for SMBs
Proofpoint announced Proofpoint on Demand--Standard
Edition, an easier-to-use, lower-cost version of its Proofpoint on
Demand service designed for small-to-midsized businesses (SMBs).
Standard Edition provides spam blocking, virus protection, and content
filtering capabilities (to detect outbound spam and virus-laden
messages). It's hosted in a multi-tenant environment that uses the same
data centers as Proofpoint's dedicated offering, Proofpoint on
Demand--Enterprise Edition. The Standard Edition also offers the same
performance guarantees, including 99 percent spam effectiveness, 100
percent virus protection, "five nines" availability, and "no delay"
email delivery. For more information, go to
www.proofpoint.com
Resources and Events
Top 5 Advantages of Using Hosted Microsoft Exchange 2007
and SharePoint Services
Learn how and why businesses of all sizes are evaluating full-featured,
enterprise-class solutions such as Microsoft Exchange Server 2007 and
SharePoint to meet their business goals. Download this on-demand seminar
to see how a hosted service fits with SharePoint and Exchange.
windowsitpro.com/Downloads/Index.cfm?fuseaction=ShowDownload&uuid=02ffc8f7-ca42-48dd-8a4b-601096249b5e&code=043008er
Small companies rarely stay that way--they grow. Regardless of the stage
of growth, there's always a need to access, report on, and analyze data
from different sources. This white paper discusses the components of
business intelligence (BI) and enterprise performance management
solutions that a growing business should consider and leverage.
windowsitpro.com/whitepapers/Index.cfm?fuseaction=ShowWP&wpid=3266d75c-94e4-42e6-b9ce-0cf9db98f285&code=043008er
SQL Server 2008 is on the way, and it's got the industry buzzing. The
first significant upgrade in three years features envelope-pushing
enhancements and improvements. Examine the 10 most valuable features of
the SQL Server 2008 release. Read this white paper to discover all 10
and see how SQL Server 2008 can make your life easier. www.sqlmag.com/Whitepapers/Index.cfm?fuseaction=ShowWP&WPID=35198088-9642-4fe2-8b24-a968bc4bda22&code=043008E&R
Featured White Paper
This white paper discusses how Network Access Control
(NAC) handles rogue computers, how to fit NAC into any environment, the
components to look for in a NAC solution, and the results you can expect
when you put such a solution into place. Download this white paper to
ensure that your company can combat today's threats while remaining
nimble enough to address tomorrow's. www.windowsitpro.com/go/wp/sophos/nac/?code=043008e&r
Announcements
Windows IT Pro Master CD: Take the Experts with
You!
Find the solutions you need within the thousands of searchable articles,
helpful bonus content, and loads of expert advice on the Windows IT Pro
Master CD. A Master CD subscription buys you portable access to the
entire Windows IT Pro article database plus exclusive access to all the
new articles we publish only on WindowsITPro.com every day. It's like
having a team of consultants in your pocket! Get real-world solutions
fast--order the Windows IT Pro Master CD today.
store.pentontech.com/index.cfm?s=1&promocode=EU2284WC&
|
|
If you use a product that has made a tremendous impact in your
organization and is a product that you can't live without, tell us about
it at whatshot@windowsitpro.com
and we'll feature your review in a future issue of the magazine, under
the "What's Hot" section.
|
|
