Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?

Spam-Bot Intrusion Caught — Now What? 76

An anonymous reader wonders: "I've recently detected and halted an intrusion on my home computer, taken some actions to prevent further intrusions, and located the software that was running a bot agent. Cursory examination showed that the bot software is intended for acting as an agent for spamming. Configuration files distinctly point at the user/host/domain of several bot-herders — damning evidence. Nothing would please me more than to see this botnet to be caught and disassembled, I'm sure much of the internet-using community would support this. Thanks in advance for your suggestions. So, to whom should I disclose this information for appropriate investigation, follow up, and countermeasures? "
This discussion has been archived. No new comments can be posted.

Spam-Bot Intrusion Caught — Now What?

Comments Filter:
  • one word (Score:5, Informative)

    by Jbcarpen ( 883850 ) on Tuesday April 17, 2007 @01:36AM (#18763397)
  • by caitriona81 ( 1032126 ) <{moc.liamg} {ta} {ytrehguads}> on Tuesday April 17, 2007 @01:55AM (#18763565) Journal
    1) Don't contribute to the problem. Attacking botrunners directly, or vigilante action doesn't help, and may actually be harmful - by teaching them how to build better drones. See []

    2) As for US gov't agencies, if you or the attacker seem to be in the US, [] is likely to be interested. [] can also put you in touch with nationial computer security incident response teams, who will also be interested (you only need to contact the one local to you, please don't shotgun complaints to all of them.)

    3) As for private companies and research organizations, if the bot isn't already clearly and specifically detected by antivirus, report it to them, following their reporting guidelines. Shadowserver ( seems to be interested in researching and gathering intelligence on botnets also.

    • by Anonymous Coward on Tuesday April 17, 2007 @02:07AM (#18763655)
      Attacking botrunners directly, or vigilante action doesn't help

      The spirited attack on and destruction of Blue Security [] and the spam flood that followed, does not support that assertion. Somebody wanted them gone badly, for a reason.

      • by caitriona81 ( 1032126 ) <{moc.liamg} {ta} {ytrehguads}> on Tuesday April 17, 2007 @02:56AM (#18763993) Journal
        I should probably rephrase and clarify, attacking them directly without legal action to back that up is bad - ie, if you are going after a bot runner, it needs to be in a manner that not only takes away their toys, but also puts them in jail, for a long period of time. If you can't take away their freedom in the process, then you aren't doing us any favors by teaching them how not to get caught -- botnets, and their means of control get more and more sophisticated, with overall trends towards plausible deniability and robust survivable command and control networks, designed to either resist attack, or be reconfigured after the fact to retain control of compromised hosts.

        This is a far cry from when botnets were controlled "in the open" on public IRC networks - the kiddies are clearly learning something with each iteration, and they are sharing that knowledge amongst themselves. Also of note is more use of packers, executable encryption and anti-debugger routines, which were completely absent from early botnet executables. Use of rootkits, as well as secondary backdoors (to regain access after the system owner detects the intrusion) are also on the rise.

      • by tacocat ( 527354 ) <> on Tuesday April 17, 2007 @05:19AM (#18764809)

        I disagree. If you could determine the physical location of such bot herders and disclose that to the internet at large, I'm sure that there would be a final solution applied that people would be willing to turn their backs on. Especially if you could post photographs, names, and physical addresses.

  • by BinarySkies ( 920189 ) on Tuesday April 17, 2007 @01:55AM (#18763571) Homepage
    There is an organization, ShadowServer ( if I recall right) that specializes in mucking about with Botnets. They'd probably have the right contacts and such to deal with that.
    • by plover ( 150551 ) *
      Shadowserver [] is a group of security researchers that study malware. They actually encourage people to report new incidences of malware to their anti-virus vendors. I don't know if they accept direct submissions of malware, they're kind of a low-profile group. I think if they took submissions directly in any way, the botherders would probably flood them big time. But I don't know, you can try.

      Note that they don't actually "do anything" to the botnets. They study them and gather information, but they l

    • What about the various organizations that run honeypots. They specifically set up computers to be infected by these bot-nets in order to investigate how they propogate and eventually get rid of them. I'm not sure if these organizations pursue prosecutions, but disbanding the bot-net is more important than prosecuting a russian hacker.

      As an aside: How did you detect the infection?

      I would think that ALL of the various A/V companies would be interested in your findings, as well.
  • by Anonymous Coward
    Spam-Bots catch you!
  • What actions? (Score:5, Insightful)

    by dbIII ( 701233 ) on Tuesday April 17, 2007 @02:02AM (#18763623)
    Were the actions to install from scratch on a new disk / take a disk image to look at later + reformat + reinstall / poke around for a bit with the thing not on the network before reformat + reinstall / rely on external sources for info and just wipe the thing / or did you take the common and lazy approach now of just fixing the obvious damage and hoping the rest of the system is not compromised? The real pain is you can't even trust the backups in some cases especially if the people responsible for the machine ignore it most of the time - it may have been rooted for a while.

    Preaching to the converted here but I'm amazed how many people do not realise that an owned computer is exactly that - there is nothing at all you can trust absolutely so you have to look at what is on the disk with something else and have to wipe it and start again. On *nix script kiddies love to put things in unexpected spots in the init scripts like in /etc/init.d/functions or the equivalent, or replace things like ntpd that you expect to talk to the outside world - so they would have control well before you get a shell. Some linux rootkits changed the generally useless ext2/ext3 file attributes in a cute effort to make cleaning up harder for those prone to try - it made it trivial to find their stuff becuase it would be the only thing on the volume with attributes set. Even then you can't trust that is all they did - it's just an obvious sign that you cannot trust anything on the machine.

    • When this happened to my wifes computer I in turn locked out port 25 from her computer going out since I have an internal mail computer already. I also completely formatted her drive and she is now using linux.

      She hates it but I could not trust her computer at all anymore.

      All she ever does is yahoo mail, popcap games, and surf internet sites. The bot got on there and it was so well hidden only way I noticed was huge traffic on my router and you can see it going to certain sites and downloading the "tasks"
  • I would contact local law enforcement first, as they would probably know if there is any possibility of legal action. Also some law enforcement agencies have departments dedicated to cybercrimes and IMHO best way to contact those would be through local law enforcement. Be sure to inform that your computer was hacked or broken into, so that the incident is not mistaken as a regular spam emails.

    If that fails (maybe because law enforcement does not have enough manpower to deal with it), then posting all inform
    • by Anonymous Coward
      I have yet to see the police do not do anything about computer crime. There has to be a major incident before things change as I see it.
    • Re: (Score:3, Insightful)

      by Opportunist ( 166417 )
      Don't make me laugh. Law enforcement usually looks at you with a rather blank stare and says something along the lines of "And ... what should we do now about it?"

      It's not that the nets would be unknown. Every security researcher worth his salt has a fairly good idea where those botnets are and how they work. The problem is, nobody with the legal muscle to do anything about it would care.
  • Name and shame (Score:3, Interesting)

    by Anonymous Coward on Tuesday April 17, 2007 @02:28AM (#18763797)
    How did you get the infestation? What did you download?
    • It was probably just something that came down "accidentally" from one of those pr0n sites...

      "Oh golly me, how did that happen..." ;)
  • Publicity (Score:1, Insightful)

    by Debug0x2a ( 1015001 )
    Once they are reported to the proper authorities, make it public here what are signs of your computer being a zombie to them. Get as many people OFF of the botnet you can, and seeing as there are probably plenty of IT guys here, you may be able to get others to uncover more information about the spammers.
  • by sp1n ( 99710 ) on Tuesday April 17, 2007 @02:40AM (#18763875) Homepage
    You have the bot herder address. To do the most "damage", get it shut down. Contact the ISP abuse department who hosts it. If there's a DNS name, also contact the ISP hosting the authoritative DNS zone and possibly the registrar, who may elect to terminate the domain. If you don't get a response from the ISP, contact their upstream provider(s) (if a smaller Tier 3 ISP).

    Whois is your friend.

    • by bernywork ( 57298 ) * <> on Tuesday April 17, 2007 @05:47AM (#18764941) Journal
      Fantastic. Get the persons account shut down, like most people these days, who have multiple domains, internet links and everything else, he will be offline for what? A couple of hours? Your just going to piss him / her off.

      No, the best thing to do here is kill the whole problem. All the machines in the botnet need to be cleaned and updated so that they don't get re-infected, otherwise they will get taken over by someone else (Yes, I know most people when they infect a system DO update it so that someone else can't take over, but they leave back doors). The person running the botnet needs to see the beak (Judge). It might be that the beak decides that a slap on the wrist is the appropriate action, but I think just cutting off one point of access / control of a bot net which I am sure that they have other control over is just silly.

    • by Nimey ( 114278 )
      Spammers tend to buy "bulletproof" hosting that will ignore takedown requests.

      I say we lift off and nuke the site from orbit. It's the only way to be sure.
    • Re: (Score:3, Informative)

      by mandelbr0t ( 1015855 )
      Usually you won't get anything from the ISP. I start with ARIN [] and move to RIPE, APIC as the search suggests. I run into one of two scenarios:

      1) There is a properly listed contact for abuse reports to whom I send the complete relevant log entries in text format. I usually don't hear from them again, but I also don't see any further network abuse from that netblock owner.

      2) The owner of the IP block is a complete and utter joke. Examples: they don't correctly configure their reverse DNS, so they will claim t
  • Rule 1 (Score:1, Troll)

    Learn from your mistake. You got a spambot because you messed up your 1337 sysadmin skills. You need to figure out what you did wrong and how not to do it again.

    Then, you need to stay on top of security issues. You run appear to run Windows so you'l have to work 10x as hard to do that. windows is a big steaming pile of goats shit when it comes to security. All the sh1t that MS claim protects you does nothing more than inconvenience normal users and slow their boxes down to buggery.

    You're not likely t
  • The appropriate action probably depends on the country you are in and the country hosting the herders.

    From a list of things to be done, I would contact the ISP last. They will probably contact the perpatrators directly and remove them from service, but that will do nothing to take them out of circulation. That requires something more. Alternatively, you might ask your ISP for advice on how to procede. But make it clear the intentions with them. They might not have a clue what you've captured.

  • by tigersha ( 151319 ) on Tuesday April 17, 2007 @05:36AM (#18764889) Homepage

    Hack into the US Navy weapons control website.

    Search for a file called "city-coords.txt".

    Find out what the lat and long is of the spammer.

    Change the line "Al Queda Base 4:xxx" to reflect the new coordinates.

    Dress as Osama and make a press release with a big "Base 4" sign behind you. Use a good make-up artist if you want.

    Two days leater and BAM!!! the spammer is gone. Your tax dollars at work for you!

  • by Opportunist ( 166417 ) on Tuesday April 17, 2007 @07:50AM (#18765451)
    Clean your computer and go on with your life. Everything else is a waste of precious time, energy and nerves.

    What could you do? You could inform your local law enforcement. Which will invariably end up in a file cabinet within moments because they have no clue how to deal with it.

    You could go a step higher and contact your country's equivalent of some sort of "internet police". Most countries have that today. They will look at the info, find out where the spammer sits and depending on where he sits it goes different roads. Either he is in a country within reach, i.e. your country or one where Interpol/Europol actually has some muscle. In this case, they will maybe even go through the hassle of dealing with the provider hosting the spam controller, and within 2-3 weeks they finally got all the papers necessary to shut the machine down. A day later, the spammer opens up a new one and the party continues.

    If the machine is somewhere in Russia, far east or some country ending in -stan, nothing is being done and it just continues from the same machine.

    The spammer himself (or rather, the individual registering the server) is invariably sitting in some of the countries mentioned in the previous paragraph and thus untouchable anyway.

    In short, the best you can achive is to annoy a spammer. Just in case the server switch wasn't due anyway because you can only use a spamcontroller for a certain amount of time before the ISP gets interested and starts to "persuade" you to move.
  • by mattr ( 78516 ) <> on Tuesday April 17, 2007 @08:07AM (#18765555) Homepage Journal
    I had my own server broken into for the first time, wasn't a botnet but a bank of america style phishing site. I discovered it when trying to make a subdomain with the control panel didn't work right.. the provider said they cleaned some out but couldn't be sure and then in fact I found the servers myself, in /root and /tmp disguised as other files. I mailed yahoo and google since both had email addresses being used, and told the isp. Guess what? I got no response from google, and none from the isp (they totally suck too, I've been down for a month after being told to erase the disk and they upgraded me - to Fedora Core 2! - and are so incompetent it is not even usable anymore. So I'm changing to a better managed hosting company rsn.)
    I did get a thank you from Yahoo. But, the first one was clueless, ignoring the content of my letter. I got a second one from them saying thanks. But that they couldn't accept attachments. So couldn't send them the proof.

    At any rate, what I did is erase the disk, restore from backup and some checked files, and lose a lot of time. There is probably little more you can do than simply report to one of the links below that you have a botnet address then as quickly as possible erase it.

    I also found a number of commands changed in /bin however I couldn't tell if it was the crackers or the isp who did that. It was running out of date software, and though they failed lots of ftp login probes it looks like they got in through an out of use user's login somehow and promoted to root.

    Moral of the story? If you use a managed hosting service, keep a FULL backup locally. Run tripwire or something similar, I will from now on. Use a hosting service that is not completely clueless. Do not try an upgrade or anything afterwards. Have a portable hard disk you can use - my ipod was very useful. The most annoying thing was having to spend lots of time on the phone with admins, and having my email and website hanging in the air. The answer is to immediately cut all your losses, get another system maybe on another provider. Possibly you could even do this with a local machine and dyndns temporarily but if you're busy the last thing you have time to do is mess with crooks. Best thing that came from it is I discovered several other hosting companies from friendly clients who helped me get my jobs done.
    • by bleh-of-the-huns ( 17740 ) on Tuesday April 17, 2007 @09:55AM (#18766579)
      Yahoo and google etc are not clueless, just over worked. I have worked security for large ISPs, UUNET (prior to MCI getting involved), AOL Time Warner, and a couple of others. They get far too many complaints to be able to respond to each, so you are lucky if you get an autoresponce, but don't expect them to contact you, there is just no time for it. The attachment problem is due to the fact that in many cases, complaints are placed into a tracking system, so instead of an attachment, you end up with uuencoded text, its a pain to have to reassemble that manually for every complaint, and if you hit up the security pages of those websites, they clearly state not to use attachments.

      Unless the botnet has caused more then $5k in proven damages, with tangible evidence, law enforcement will not get involved, this is at the federal level, not sure about state and local, as they rarely deal with cyber crimes of this type, they prefer to deal with cyber stalking and threats to individuals in their localities. If you must report a botnet, report it to USCERT (run by DHS), they may not be able to get to the root if its in one of those countries listed, but they can research it, and they are capable, and if something can be done, it will be done in the background.
      • by mattr ( 78516 )
        Thanks for your insight. I would value it as $5000 dollars lost but that is tough to prove, except for about $200 of telephone calls. The attachment problem is interesting, it sounds like someone needs an open source package so people can add this kind of functionality. I didn't even receive an automated response from Google, though.

        As recent threads have noted it pays to spam, which is why this has grown into such a sophisticated industry. It almost (not quite?) seems like spending that time taking revenge
    • ...don't get your hopes up.

      A few years ago I installed a new release of a major vendor's OS. Unbeknownst to me, they had gone from a default secure model to a default open model. Before I finished checking out the security, someone had hacked in, installed a rootkit, and was using my system to attack a major financial institution. Their security guy contacted my ISP who contacted me. I yanked the ethernet cable, tracked everything down, saved the evidence (logs, binaries, etc), finished tightening the s
  • Reinstall everything from scratch and trusted media.

    It's not because ou think you only have a spambot that there's no trojan/backdoor/rootkit lurking in the background.
    Be paranoid: do no trust any executable code, and even not your (hopefully) backed-up data.

    Otherwise, you might just end up putting back yet another future spam/DDOS/phishbot on the net.

  • Surfing the Web I have come across the [] site, which includes two online scanners that apparently scan the PC in a very short time. They also claim to detect more malware than any other antivirus installed on the computer. Supposedly these tools can detect viruses running on the computer. I tried one of them and was actually quite surprised at how fast it was. It didn't detect anything unusual, but asked me to use the second scanner which, so it says, can detect anything maliciou
    • Mark Hypponen reported in Nov. 2006 that there were over 200,000. Last I'd heard there were about 360,000 total viruses (for all OSes: 30,000 for Mac, 15 for Linux, etc). I'd second guess the assertion of over 700,000 viruses, even with differences in counting variants and definitions of malware/spyware/adware/viruses/etc... I'm not personally familiar with this service, but I've not found many online scanners that do a real good job of scanning, let alone removing.

      I have extensive experience with malware r
  • This is included at the bottom of the botnet mailing list:

    To report a botnet PRIVATELY please email:

    All list and server information are public and available to law enforcement upon request. /botnets []

  • SANS (Score:3, Informative)

    by gunnk ( 463227 ) <gunnk@mail.fpg.u ... u minus caffeine> on Tuesday April 17, 2007 @03:51PM (#18772169) Homepage
    The good folks at SANS do their best to act as early warning and protection for the net. They'd likely be interested in helping break this up AND they have the appropriate contacts in government and law enforcement to do so.

    You can contact them here: and see if they are interested or can direct you to the appropriate person or agency contact.

e-credibility: the non-guaranteeable likelihood that the electronic data you're seeing is genuine rather than somebody's made-up crap. - Karl Lehenbauer