

How to Steal a Botnet - pkrumins
http://www.catonmat.net/blog/how-to-steal-a-botnet-video-lecture-review/

======
nearestneighbor
_The bank account information is valued at $10.00 to $1,000 per account._

What can hackers do with your, say, checking account info (name and account
number, I'm assuming)? Are you liable for any hacker-related losses, if you've
done nothing wrong?

------
jonknee
I don't know why financial institutions don't all require two-factor
authentication these days. Nothing else will stop attacks like this.

~~~
seiji
c.f.
[http://www.schneier.com/blog/archives/2005/03/the_failure_of...](http://www.schneier.com/blog/archives/2005/03/the_failure_of.html)

~~~
jonknee
Some decent points, but if you require authentication for all transactions the
man in the middle attack / trojan won't work. For every transfer have a SMS or
phone call triggered to the customer--"We have received a request to transfer
$x to Y, to authenticate please press 1." It may get annoying for every
transaction, so it could only come into play for transactions to parties that
you haven't dealt with in the last X days.

~~~
swolchok
It might be nicer if you made them _say_ "yes" so that replays could be
detected. Pressing 1 makes the same tone every time, so malware on smartphones
can easily bypass this authentication method.

~~~
ubernostrum
If you're going to be that paranoid, the phone can't do it; the malware could
simply record your voice saying "yes" and replay that recording as needed.

~~~
swolchok
Surely, no real person is going to produce the exact same sound twice. Check
the database of previous samples for matches or very close matches.

------
jackfoxy
Can anyone comment on how effective the common AV packages are at preventing
being infected by Torpig and similar know attacks, and once infected, how
effective at removing the infection?

~~~
Vivtek
Once infected, forget about it.

I've been infected by viruses three times. Twice were before this year, and it
takes some quick work, but both times it was no real challenge to stabilize my
machine, so beyond feeling really stupid for a few hours, it ended up being
kind of fun.

In November, though, I infected my machine again. Three days later, it was
still phoning home to Russia and the Ukraine. There was literally nothing I
could do - even Malwarebytes and the like would clean it up only to a certain
extent, and the viruses were still embedded in the system software. Finally I
just gave up and bought a new machine so I could start from scratch, only
pulling data from the old machine.

A good AV won't let you get infected - you still shouldn't allow actions that
look fishy or unexpected, but at least you're in control. But once you're
infected, the botnet can respond in realtime to what you're trying to do to
stop it. And they're better than you are at it.

I'm not saying it's impossible to clean up a machine that's fallen into their
hands - but I am saying that even with some past success in this under my
belt, I was unable to do it in any amount of time that was justified (even in
terms of fun).

~~~
ajju
Why did you have to buy a new machine? Couldn't you have copied the data to an
external disk instead of a new machine, then formatted the hdds, maybe flashed
the bios and started over?

~~~
Vivtek
Yes. But by that time I'd already spent three days, and wanted to have a Linux
box to be sure nothing could possibly execute on it while I was poking in the
data, and since this all happened on my _birthday_ to start with, my wife
said, "Go out and buy a new machine or two."

So I did, and didn't regret it.

------
omergertel
I actually got a tingly feeling in my spine when I watched this lecture. I'm
having Terminator's Skynet flashes.

~~~
Ixiaus
The darkside of internet technology is very interesting... Can you imagine the
ingenuity that needs to go into the creation of the software for a botnet?
Kind of cool in many ways.

~~~
Vivtek
It is _utterly_ cool. I love it, botnets and spam and all. I just wish I had
the time to spend with it instead of earning a living.

~~~
jrockway
Some of the interesting parts of botnets have commercial or research value.

As an example... I find it very difficult, in general, to install software
onto multiple Windows machines. Different versions of DLLs, differing Windows
features, differing filesystem layout, etc. The botnet control system seems to
reliably install on all sorts of machines, without needing 3 restarts and
without asking lots of dumb questsions.

Making installing real programs this easy and reliable would be quite nice.

~~~
pmorici
I'm guessing the software involved would be fairly simple by comparison and
thus there wouldn't be as many complications as in a normal program's
installation. Are there any bot nets that use DirectX for example or .Net? I'd
doubt it.

~~~
rikthevik
These kinds of things are meant to run completely under the radar and take up
as little space as possible. Unless they're exploiting an existing .Net or
DirectX installation.

------
Luyt
Would using webpages via https also be compromised? Do these botnets also use
keylogging?

~~~
pkrumins
Yep, using webpages via https would be compromised. The bots hook various DLL
to get the content before encryption when it's sent and after decryption when
it's received.

They don't seem to use keylogging. They only capture HTML form information.

