Mike’s Notes from Gunter’s Talk


Biggest clouds ever are botnets Amazon EC2: 200,000. Botnets: 10,000,000

History of botnets: IRC as command and control

Nuke switches: Eliminate evidence by zeroing hard drive

Standardization of botnet languages

Botnet operators use multiple agents to avoid detection

Lots of free-market services available (malware QA, bot rental)

Very professional management tools

Domain flux: Generating new domains to maintain C&C

Microsoft botnet take-down was not successful because one C&C was left on for too long


11 Responses to “Mike’s Notes from Gunter’s Talk”

  1. John Kuipers Says:

    I’m not so much surprised at the fact that there’s DIY kits online as much as I am about the extent of the market built around malware production/management software. I can imagine someone getting spammed with emails saying things like “Interested in buy, selling or trading in your botnet?” or “Save money on your next botnet purchase”. It’s probably not the case, but it’s still an amusing thought for some reason. The rental aspect was also very surprising.

  2. Andrew Mishoe Says:

    first thought on seeing all these simple tools for developing botnets….what’s stopping the distributors of the sw from including rootkits/malware in the installation such that your C&C is controlled at a higher level??

  3. Ryan Paulsen Says:

    Given the model for the distributors is to make money (selling the software is legal) your reputation and sales would plummet as soon as you did that once.

    Of course you could put a long term backdoor, sell lots of copies, and then after making sufficient money take control of all the little botnets and sell one giant super botnet.

  4. diabolicalmdog Says:

    Andrew, “good” idea!

  5. Paul Beresuita Says:

    Andrew, I agree that could be a possibility. Here is an article I found about the economics of Botnets, which I found interesting, particularly how much money botnet owners make by leasing and selling botnets.

  6. Michael Qin Says:

    Interesting article. I wonder if search engines have heuristics to combat SEO, but I can’t see how a computer would tell the difference between a legitimate and a bot-generated link.

  7. John Marshall Says:

    Michael, search engines definitely do have heuristics to fight SEO. A lot of times bot-generated links are hidden in pages where normal users wouldn’t see the links, either hidden with javascript or css. Sometimes websites can actually help prevent botnets from spamming and using SEO to get their sites up as well. For example, if you add a nofollow tag to a link’s html search engines won’t pass on the sites ranking to the next (possibly spammy) site. This is useful in sites like this where bots can spam the contents and add links. Thats just a couple of examples, there are obviously plenty others though.


  8. Abhishek Chhikara Says:

    Microsoft has made some efforts in combatting this issue, with its operation named “b49”. On Feb 22, in response to a complaint filed by Microsoft in the U.S. District Court of Eastern Virginia, a federal judge granted a temporary restraining order cutting off 277 Internet domains believed to be run by criminals as the Waledac bot.

  9. Abhishek Chhikara Says:

    Latest in news: Another botnet herder bites the dust, http://www.darknet.org.uk/2010/04/texas-man-pleads-guilty-to-botnet-for-hire/

  10. Antonio Says:

    This presentation was very interesting and informative. I found a recent article on botnets in USA Today.

  11. Rohit Sinha Says:

    Being a internet based small business owner, it is very difficult to build your image and get a client-base. And whenever I have looked for services such as data centers to house my servers, I have always looked on different websites to see if there are any bad remarks. And if there was any bad remark, even if the price was unbeatable, I ended up going for a service that may have been a little bit more expensive but were a little bit more reliable.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: