Spam-Bot Intrusion Caught — Now What? 76
An anonymous reader wonders: "I've recently detected and halted an intrusion on my home computer, taken some actions to prevent further intrusions, and located the software that was running a bot agent. Cursory examination showed that the bot software is intended for acting as an agent for spamming. Configuration files distinctly point at the user/host/domain of several bot-herders — damning evidence. Nothing would please me more than to see this botnet to be caught and disassembled, I'm sure much of the internet-using community would support this. Thanks in advance for your suggestions. So, to whom should I disclose this information for appropriate investigation, follow up, and countermeasures? "
Places to report to... (Score:5, Insightful)
2) As for US gov't agencies, if you or the attacker seem to be in the US, http://www.ic3.gov/ [ic3.gov] is likely to be interested. http://www.cert.org/csirts/national/contact.html [cert.org] can also put you in touch with nationial computer security incident response teams, who will also be interested (you only need to contact the one local to you, please don't shotgun complaints to all of them.)
3) As for private companies and research organizations, if the bot isn't already clearly and specifically detected by antivirus, report it to them, following their reporting guidelines. Shadowserver (http://www.shadowserver.org) seems to be interested in researching and gathering intelligence on botnets also.
What actions? (Score:5, Insightful)
Preaching to the converted here but I'm amazed how many people do not realise that an owned computer is exactly that - there is nothing at all you can trust absolutely so you have to look at what is on the disk with something else and have to wipe it and start again. On *nix script kiddies love to put things in unexpected spots in the init scripts like in /etc/init.d/functions or the equivalent, or replace things like ntpd that you expect to talk to the outside world - so they would have control well before you get a shell. Some linux rootkits changed the generally useless ext2/ext3 file attributes in a cute effort to make cleaning up harder for those prone to try - it made it trivial to find their stuff becuase it would be the only thing on the volume with attributes set. Even then you can't trust that is all they did - it's just an obvious sign that you cannot trust anything on the machine.
Publicity (Score:1, Insightful)
Run Linux (Score:-1, Insightful)
Re:contact the ISP/registrar (Score:4, Insightful)
No, the best thing to do here is kill the whole problem. All the machines in the botnet need to be cleaned and updated so that they don't get re-infected, otherwise they will get taken over by someone else (Yes, I know most people when they infect a system DO update it so that someone else can't take over, but they leave back doors). The person running the botnet needs to see the beak (Judge). It might be that the beak decides that a slap on the wrist is the appropriate action, but I think just cutting off one point of access / control of a bot net which I am sure that they have other control over is just silly.
Re:In Soviet Russia... (Score:3, Insightful)
Re:Law enforcement comes to mind first (Score:3, Insightful)
It's not that the nets would be unknown. Every security researcher worth his salt has a fairly good idea where those botnets are and how they work. The problem is, nobody with the legal muscle to do anything about it would care.
The sad answer: Nothing (Score:3, Insightful)
What could you do? You could inform your local law enforcement. Which will invariably end up in a file cabinet within moments because they have no clue how to deal with it.
You could go a step higher and contact your country's equivalent of some sort of "internet police". Most countries have that today. They will look at the info, find out where the spammer sits and depending on where he sits it goes different roads. Either he is in a country within reach, i.e. your country or one where Interpol/Europol actually has some muscle. In this case, they will maybe even go through the hassle of dealing with the provider hosting the spam controller, and within 2-3 weeks they finally got all the papers necessary to shut the machine down. A day later, the spammer opens up a new one and the party continues.
If the machine is somewhere in Russia, far east or some country ending in -stan, nothing is being done and it just continues from the same machine.
The spammer himself (or rather, the individual registering the server) is invariably sitting in some of the countries mentioned in the previous paragraph and thus untouchable anyway.
In short, the best you can achive is to annoy a spammer. Just in case the server switch wasn't due anyway because you can only use a spamcontroller for a certain amount of time before the ISP gets interested and starts to "persuade" you to move.
Re:Virginia Tragedy (Score:1, Insightful)
-- Thomas Jefferson, 1764
"This year will go down in history.
For the first time, a civilized nation has full gun registration.
Our streets will be safer, our police more efficient, and the world will follow our lead into the future."
-- Adolf Hitler, 1935
Hmm, lets learn from the mistakes of the past and not repeat them.
Besides if you do take my guns and knives, I can still beat you to death with a rock.
Just try to outlaw rocks, go ahead.