InBoxRevenge KS Forum

Perhaps this is a place for my usual quip: install Linux
It's cheaper than buying a Mac, and generally more secure than Win. Also, if you take the time REALLY to learn to use it, you'll know lots of the technology underneath.

Last iMac 400 I bought cost £29 and OSX 10.2.8 was about £3 still, I suppose Linux is free - Apple is nicer though!

How do internet service providers go about tracking down bot-infected users on their networks? It would seem to be a moving target since most of them are logging on and off and getting new IP numbers all the time. A spamcop report would likely not indicate who was logged in with that IP at the time the spam was sent, especially with so many spams coming with fake timestamps. Lately, I notice a lot of spamcop reports that say the ISP no longer wants reports about a particular spamvertised site, and I suspect it is because by the time they get the report, the site isn't at the IP number spamcop is reporting.

If there were an "-ator" that every hour or so looked up the IP numbers for sites known to use hijacked servers, identified those within pre-defined assigned number ranges, and reported them out, would it help ISP's who do a lot of handholding for inexperienced users, like Comcast, Verizon, ATT, RoadRunner, etc., identify machines that are currently logged on that are part of botnets so they could shut them down immediately and help them get cleaned? Do people think they are concerned enough about it to use something like that?

It would at least be some consolation when spamvertised sites continue operating for weeks that someone could be using that semi-permanence to mine them for information.

You raise some interesting and valid points. Let's look at the numbers and extrapolations.

Think not in terms of millions of infected machines globally.

Nor think in terms of tens of millions of infections.

Think rather in terms of hundreds of millions.

Don't stop there. Consider an average 1 hour per removal of each of these deep seated infections. Now we are scoping the true size of the task.

Botnet tracking. I do not consider this to be an external task, as you suggest. Yes, it is possible to discover the botnet IPs from
- spam source tracking
- DNS fastflux detection
- DDOS source logging
But that is far too inefficient, time consuming, and cumbersome. Not to mention ineffectual.

I contend that the only way to perform effective botnet tracking is via an internal methodology. That is where the current thinking is concentrated.

Botnet removal. The mathematical extrapolation puts this in perspective. I contend that the ultimate responsibility rightly belongs with the Operating Systems developers. Currently it rests with the AV vendors, who are too disjointed and fragmented to handle the task in hand, a task which it has now got out of hand.

[falls off soap box]

It seems like a circular problem -- Microsoft and other major software vendors want to be able to talk to their programs not only to provide updates but to detect piracy. So they have things like active-x in IE that allows them to find out what updates are needed but also allows malware to install itself, and come up with things like Microsoft's one-way firewall.

Users want to get everything free, so they get pirated software and don't update it because they don't want their pirated copies to be detected, and therefore software designers can't save them from themselves.

Businesses are trying to police their employees' internet use to prevent malware infections, but are forced to allow them to use IE because many of the sites they have to interact with require active-x and require security to be set no higher than "medium." They can't even limit their employees ability to download executable functions off the web without also limiting the ability to do simple things like reset the clocks when daylight savings time comes early.

He raised the point......

You raise some interesting and valid points. Let's look at the numbers and extrapolations.

Think not in terms of millions of infected machines globally.

Nor think in terms of tens of millions of infections.

Think rather in terms of hundreds of millions.

Don't stop there. Consider an average 1 hour per removal of each of these deep seated infections. Now we are scoping the true size of the task.

So if I can ask a silly question and point out a foolish plan. Why not a bot that finds it way to those infected machines and points out that it is being used for such and such a purpose and was discovered by ip trackback or whatever. Wouldn't that make it possible to cut a great number of the machines out of the botnet by letting the owners know they need to do something?

It might not stop all future infections but it could lessen the number of currently infected machines. After all the answer to the problem of spam will probably be a variety of partial fixes rather than one magic bullet. At least for now

"Your machine is infected - do something"

How about
"Your machine is infected, click here for information, click OK to remove the infection"

How soon after that would you see this message pop-up being used to disseminate infections?

Therein lies the problem. Once you consider using a "push" technology to clean out the hundreds of millions of bot infections, and people become conditioned to accept the execution of programs that arrive unrequested, it becomes a new distribution vector for malware.

To be successful, the process needs very wide education and authentication and safeguards to avoid exploitation.

Having said all that, the capture of a botnet's C&C has recently been used to discover and clean out the net. So it is feasible, and personally I would love to see this approach become the established norm.

Incarceration is the answer :P


Though definately harder to pull-through....as seen within the spam news forum, regarding the "Shadow" botnet...? And how Kaspersky reported that they were going to figure a way to "issue a patch over the "bot network" to clean up the machines.


Now, I don't know the actual "scale" of this "Shadow" botnet, I've been out of the loop since the CC perf/DDoS issues, and with work, and that's actually the first I even heard of this Shadow Botnet...heh.

But if this is really what went down, that sounds great.

Now the hard part is tracking down the bot-herder(s)/master(s) which could be hard, since Storm alone has found to be linked with "mixed" brands, all over the spectrum, likely due to the herders/masters "selling" bots, etc....



As far as SpamCop - I've noticed this alot recently too, since filing reports manually...in most cases, I'll input a message to the abuse desk at the bottom of the page in the "Notes" area, to let them know to check the timestamps to figure out what customer/computer was logged into their system at that time so they can track it down.

But it's not always that easy...hell, I've had "Panera Bread" abuse desk appear in my spamcop reports.....likely due to an infected laptop, that connected to their public wifi, and was spewing spam messages from an infected laptop on their network.


In that case, there's not much Panera Bread could do, other than maybe port/traffic filtering....? But since this is only a fast-food bread/coffee store, that's kinda unlikely :P

I updated the initial post by Ky. I left the followups, though some suggestions are out of date.