What about the botnets?!

Botnets are a huge problem for a number of reasons. Not only are they used to send spam, they’re also used in criminal activities. One of the major challenges in dealing with botnets is finding and stopping the people who create and use them. Why? Because the internet is global and crime tends to be prosecuted within local jurisdictions.

White Collar Crime.
Catching someone running a botnet, or involved in crime online in general, requires cooperation from authorities in multiple jurisdictions. Police, lawyers, and other officials have had to create relationships to work together, all while respecting international law. It’s a involved and complicated process, and that’s before we talk about the challenges in actually figuring out who is running the botnet. Subject matter experts, like operating system manufacturers or anti-virus companies, are also part of the process in most cases. (Read about the Simda botnet takedown at Interpol)
Despite the challenges, botnets do get taken down and criminals do get arrested and brought to justice. Today the Department of Justice announced a guilty plea from a Russian citizen charged with infecting machines with malware.

Senakh and his co-conspirators used the Ebury botnet to generate and redirect internet traffic in furtherance of various click-fraud and spam e-mail schemes, which fraudulently generated millions of dollars in revenue. As part of the plea, Senakh admitted that he supported the criminal enterprise by creating accounts with domain registrars which helped build the Ebury botnet infrastructure and personally profited from traffic generated by the Ebury botnet.

Ebury is kinda interesting because it’s actually a Linux botnet, not a Windows one. It used a SSH exploit to get in, stole user credentials and then smuggled the credentials out in special TCP packets. CERT-BUND has some of the gritty technical details of what they discovered. And WeLiveSecurity also has a writeup on how the infection worked.
Botnets are a problem. Catching people is a long, drawn out challenge. But, it can be done.

Related Posts

Abuse, triage and data sharing

The recent subscription bombs have started me thinking about how online organizations handle abuse, or don’t as the case may be. Deciding what to address is all about severity. More severe incidents are handled first. Triage is critical, there’s never really enough time or resources to investigate abuse.
biohazardmail
What makes an event severe? The answer is more complicated that one might think. Some of the things that ISP folks look at while triaging incoming complaints include:

Read More

Following the SMTP rules

An old blog post from 2013, that’s still relevant today.
“Blocked for Bot-like Behavior”
An ESP asked about this error message from Hotmail and what to do about it.
“Bot-like” behaviour usually means the sending server is doing something that bots also do. It’s not always that they’re spamming, often it’s a technical issue. But the technical problems make the sending server look like a bot, so the ISP is not taking any chances and they’re going to stop accepting mail from that server.
If you’re an ESP what should you look for when tracking down what the problem is?
First make sure your server isn’t infected with anything and that you’re not running an open relay or proxy. Second, make sure your customers aren’t compromised or have had their accounts hijacked.
Then start looking at your configuration.
HELO/EHLO values

Read More

Anti-Botnet Code of Conduct Published

The Communications Security, Reliability and Interoperability Council (CSRIC) published a Anti-botnet code of conduct for ISPs. This is a purely voluntary code for U.S. ISPs that want to mitigate the botnet threat to follow. You can download a full copy of the final report from the MAAWG website. The FCC has published a fact sheet about the report on their own website.

Read More