Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Spam

Spam-Bot Intrusion Caught — Now What? 76

Posted by Cliff from the searching-for-peace-keepers-on-the-internet dept.
An anonymous reader wonders: "I've recently detected and halted an intrusion on my home computer, taken some actions to prevent further intrusions, and located the software that was running a bot agent. Cursory examination showed that the bot software is intended for acting as an agent for spamming. Configuration files distinctly point at the user/host/domain of several bot-herders — damning evidence. Nothing would please me more than to see this botnet to be caught and disassembled, I'm sure much of the internet-using community would support this. Thanks in advance for your suggestions. So, to whom should I disclose this information for appropriate investigation, follow up, and countermeasures? "
This discussion has been archived. No new comments can be posted.

Spam-Bot Intrusion Caught — Now What? More

Spam-Bot Intrusion Caught — Now What?

Comments Filter:

  • Re:Places to report to... (Score:5, Interesting)

    by Anonymous Coward on Tuesday April 17, 2007 @02:07AM (#18763655)
    Attacking botrunners directly, or vigilante action doesn't help

    The spirited attack on and destruction of Blue Security [securitylandlives.com] and the spam flood that followed, does not support that assertion. Somebody wanted them gone badly, for a reason.

  • Name and shame (Score:3, Interesting)

    by Anonymous Coward on Tuesday April 17, 2007 @02:28AM (#18763797)
    How did you get the infestation? What did you download?

  • contact the ISP/registrar (Score:4, Interesting)

    by sp1n ( 99710 ) on Tuesday April 17, 2007 @02:40AM (#18763875) Homepage
    You have the bot herder address. To do the most "damage", get it shut down. Contact the ISP abuse department who hosts it. If there's a DNS name, also contact the ISP hosting the authoritative DNS zone and possibly the registrar, who may elect to terminate the domain. If you don't get a response from the ISP, contact their upstream provider(s) (if a smaller Tier 3 ISP).

    Whois is your friend.

  • Re:Places to report to... (Score:4, Interesting)

    by caitriona81 ( 1032126 ) <sdaugherty@gmDEGASail.com minus painter> on Tuesday April 17, 2007 @02:56AM (#18763993) Journal
    I should probably rephrase and clarify, attacking them directly without legal action to back that up is bad - ie, if you are going after a bot runner, it needs to be in a manner that not only takes away their toys, but also puts them in jail, for a long period of time. If you can't take away their freedom in the process, then you aren't doing us any favors by teaching them how not to get caught -- botnets, and their means of control get more and more sophisticated, with overall trends towards plausible deniability and robust survivable command and control networks, designed to either resist attack, or be reconfigured after the fact to retain control of compromised hosts.

    This is a far cry from when botnets were controlled "in the open" on public IRC networks - the kiddies are clearly learning something with each iteration, and they are sharing that knowledge amongst themselves. Also of note is more use of packers, executable encryption and anti-debugger routines, which were completely absent from early botnet executables. Use of rootkits, as well as secondary backdoors (to regain access after the system owner detects the intrusion) are also on the rise.

Slashdot Top Deals

He has not acquired a fortune; the fortune has acquired him. -- Bion

Close