How To Report A Botnet
Over the past several days, we've been asking readers to report to us information on botnets and botnet controllers. One thing that we've noticed is that there is a wide range of "value" to the information that we're getting. So we thought it would be a good idea to give some guidance about what kind of information we need.
Please give us *complete* information. We need information that will allow us to substantially confirm the "charges" that you're making. Hey... it's not that we don't trust you, but you're asking us to get machines shut down, and before we're going to try to do that, we're going to want to check things out for ourselves. (OK, so perhaps it really IS that we don't trust you. Just don't take it personally: we're professionally paranoid.) Beyond the IP address of the machine that you believe is acting as a bot controller, we need to know the port that the control channel is running on. Lately, we've been seeing many of these controllers running IRC on non-standard ports. Also, if you can give us any information on the channel or nicks being used, that would be incredibly helpful. (A suggestion: if it's within your power to reboot a machine infected with a bot, if you monitor connections as it reboots, you'll likely see channel connection information.)
Best of all is to only turn to us after you've attempted to get the machine shut down yourself. What?!? Is the ISC shirking its duty? Naaaaah. We really do try to work on everything that gets reported to us. However, there are only about 30 of us, so sometimes we get stretched a little thin.
Courtesy of ISC Handler Pedro Bueno, here are some tips for becoming a Do-It-Yourself incident handler:
1) If you have the IP address of the botnet controller you could try to send an
email to the security/abuse address at the responsible ISP to report it. A whois tool will help you to identify the ISP responsible for that IP address. On a Unix-like system, the command "whois" can give you this information: whois <Botnet-IP-Address>.
On Windows, if you don't have a whois client, you can use one of the whois web-based services to look up the information, ie "GeekTools" at
http://www.geektools.com/whois.php . Remember to be specific in the information that you provide, and BE POLITE.
2) If you don't receive any information or acknowledgment from the ISP, or if you don't want to make the initial contact yourself, you could do the initial leg-work and then send the information that you've gathered to the ISC using our contact form ( http://isc.sans.org/contact.php ). Please pass along the WHOIS information on the ISP that you found, and if possible the "AS" number of the ISP. The Cymru Whois server, can provide this information, so you'll need to point your WHOIS client at whois.cymru.com.
3) If, for whatever reason, you don't want to use the whois servers/services above, or don't want to contact the ISP, or if you don't seem to be getting anywhere, then please inform us through the ISC contact form. Be sure to list the IP address and the port number that the botnet is using, any channel/nick/password information you may have, and if you believe that it is currently active.
Glitch In The Matrix?
Have a feeling of Deja Vu? ISC Handler Ed Skoudis has documented some strangeness with Microsoft's Windows Update. It seems as though the folks in Redmond changed things for a bit today. When visiting Windows Update, rather than scanning your system to show if you were current with patches, WU presented visitors with the following:
According to Ed, things are back to normal now.
Usually, we would all just nod a lot and say "Sure, Ed..." (Remember: "Professional Paranoia") but he actually trotted out some screen caps to prove his point. So, did anyone else notice this?
UPDATE: A reader has written in confirming exactly what Ed saw. We never really doubted you, Ed ;-)
Bouncing Malware III Actually *IS* In the Works
I've gotten several requests from readers wanting to know when "Follow The Bouncing Malware, Part III" will be out. I've been working on it, but please realize that analyzing just one of the MANY malware samples takes several hours, so writing each of the installments is very, VERY time consuming (even if I didn't have other things to do ;-). Please be patient for a little while longer.
(Be nice to "cousin" Kevin...)
Handler on Duty: Tom Liston ( http://www.labreatechnologies.com )
Oct 22nd 2004
1 decade ago