Recently, a group of malware researchers, at Malware.lu – have seemingly taken the fight back against botnets another step.
Now, first off, let’s get my position on this straight for those watching me who are just waiting for me to break some kind of law or ethical barrier: While I wholeheartedly support these researchers actions, and believe that their approach to “dealing with botmasters” is the way forward, I will NOT be participating in it without cooperation of some sort from Law Enforcement, or legal permission to do so. The ice under my feet is too fucking thin to go popping C&C servers, though I wish I could.
The reason why we should take the fight back to the botnet masters is simple: They have the upper hand here. We do not. They can simply keep changing their C&C servers, keep doing DNS switcharoos, and keep spreading their malware, targeting innocent bystanders and making off with reams of personal data, while us researchers can do shag all except report to the authorities and pray to god they do something. It is not until someone like Microsoft gets involved that shit ACTUALLY gets done.
If the relevant authorities would issue “carte blanche”, or even a “carte gris” to take down botnets if the opportunity arises, the internet would be a far safer place. Until PROACTIVE measures are taken to make the cost of operating and owning these things too damn high for the amateurs, the smaller botnets will proliferate undetected for infinite time.
Anyways, on to the story.
So, the guys at malware.lu (I believe it was r00tBSD) got a sample in, of the HerpesNet botnet. I had been investigating Herpesnet for a while, after seeing it offered up as a “botnet as a service” type thing. You simply infect people, the botmaster/owner handles the C&C and backend server, along with writing the malware.
Fascinating system, and it is criminal economies like these that need to be stamped out. This particular sample was proliferating on Skript Kiddie forums predominantly, however, it is simply showing how *Fast* this kind of service offering has become common place.
Upon analysing the unpacked (non obfusticated) binary, and decrypting the few strings that were obscured, they were able to locate its C&C server.
They were also able to uncover what it sent to the server in HTTP POST requests, which seemingly, was sent in plaintext, and therefore offered them insights into what kind of data this thing was stealing, etc.
The researchers then decided to see could they perhaps use SQL injection attacks to own the command and control server, and in the end, they succeeded, gaining access to the administrator (botmasters) account on the C&C.
Taking things further, they actually uploaded a Meterpreter payload to the server and ran it, remotely hijacking the C&C. They took a screenshot of the C&C through the Meterpreter shell, and it LOOKS to me like it was the malware authors own box they had owned.
Pretty stupid, hosting a multi user botnet on your own box… But… Criminals are rarely the most intelligent it seems.
Now for the REALLY fun part: They then dumped the bots source code, etc. onto their box for more analysis, and subsequently the botmaster severed the box’s internet connection.
Not only this… They doxed the botmaster! Revealing his true identity for all to see (and for all to arrest…).
This kind of thing could be seen by some as vigilante justice, however, I see it as the future of the fight back against crimeware and online fraud. Even xylitol seems to get away with this, so my question to you all is as follows: What is the ethics/legality to this? CAN I legally start “assisting” LEO by dropping botnets and doxing their owners? I am FAIRLY sure I would be breaking anti-hacking laws, but, I also know the law pretty much requires me to do my duty as a citizen to PREVENT crime.
While I won’t be popping botnet C&C servers anytime soon, it is an interesting question to ask… And one I would love to know the answer to.
For more on this story, check out the article the guys wrote here:
Herpesnet Analysis and Ownage – Malware.lu
And also check out their main site: http://malware.lu
Massive props to the Malware.lu team, they are REAL internet superheros!