Must Read: Galaxy Note 8.0 tablet: Beating the iPad mini (review)

Topic: Malware

Inside the botnets that never make the news

Summary: This gallery offers an inside view of those "beneath the radar" botnets that never make the news. The images have been collected throughout the past year by using open source intelligence, namely, by either joining the command and control IRC channel upon infection, or monitoring ongoing communications between the botnet masters.If you ever wanted to take an inside view of targeted-botnets primarily run by novice cybercriminals sometimes utilizing outdated, but very effective methods - this gallery is for you.

Dancho Danchev

By |

 |  Image 21 of 26

A second inside peek into the removable media/USB botnet.

  • Thumbnail 1
  • Thumbnail 2
  • Thumbnail 3
  • Thumbnail 4
  • Thumbnail 5
  • Thumbnail 6
  • Thumbnail 7
  • Thumbnail 8
  • Thumbnail 9
  • Thumbnail 10
  • Thumbnail 11
  • Thumbnail 12
  • Thumbnail 13
  • Thumbnail 14
  • Thumbnail 15
  • Thumbnail 16
  • Thumbnail 17
  • Thumbnail 18
  • Thumbnail 19
  • Thumbnail 20
  • Thumbnail 21
  • Thumbnail 22
  • Thumbnail 23
  • Thumbnail 24
  • Thumbnail 25
  • Thumbnail 26

Topics: Malware, Browser, Open Source, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

Talkback

10 comments
Log in or register to join the discussion

  • Block IRC traffic completely

    That's the solution. IRC traffic has no place in
    business environments.
    zenotek
    Reply Vote

    • How pray tell?

      You're forgetting, any type of traffic can go over any port. It is not a simple firewall rule. It either requires deep packet inspection (which doesn't do any good if it is SSH'ed, or a lot of manual labor. Your premise is right, but "the devil is in the details."
      rjacksix
      Reply Vote

      • True

        Yes, devil is in the details. This will take some substantial resources to inspect all of packets as they come in though your normally open ports to prevent these botnet from controlling your system if they are infected by any botnet.
        Not getting the bot in your system in the first place a better method than trying to thwart the botmaster from getting to your afterwards.
        If you have no bot then most likely the botmaster will not control anything.
        phatkat
        Reply Vote

        • Excuse me, but what is a "BOT"? Anybody

          Excuse me, but what is a "BOT"? Anybody have a simple answer for a simple minded person like me.

          Thanks,


          Tom
          AA0POTOM@...
          Reply Vote

          • I'd answer if I thought you were watching...

            this post.
            JCitizen
            Reply Vote

    • ... uh, how do you propose to do that?

      IRC can be set to use literally ANY port, not just the well-publicised ports that are used by most casual IRC users. The same problem occurs when you block known IRC hosts (either by domain or IP range) - all you're doing is blocking the major IRC nets. Botnet operators can set up their own servers/nets, using IRC server 'ware available for free for just about any OS.

      Stateful packet inspection's the only viable method, and this gets expensive in terms of processing power needed to scan each inbound and outbound packet. You CAN impose the CIS version of Social Engineering with a "Thou Shalt Not" edict, but unless you have a method of catching someone breaking it, it's hard to enforce.

      It's better to close the vulnerabilities at the point of infection/subversion, by aggressive anti-malware scanning, IM proxy servers, or straight-up blocking of the software from the desktops via a GPO.
      dcnblues
      Reply Vote

      • Exactly how we did it....

        except we needed to do more application patching to reduce our software vulnerability posture.
        JCitizen
        Reply Vote

  • Image 5...

    Did you do the obfuscating? If not, how do you know they're all on the same server?
    Steve Goldman
    Reply Vote

  • No honor among thieves.

    I like the slide of a copyright disclaimer for one of the botnets.
    "Botnet with anti RIAA, anti-piracy disclaimer".
    Who is this person going to call any violation of this policy, the "Ghostbusters"?
    It is interesting that all of them are using some IRC application so if you wanted to stop them you need to stop illicit IRC traffic.
    phatkat
    Reply Vote

  • RE: Botnet exploiting MS0867 flaws (Inside the botnets that never make the news)

    you cant block IRC channles many people use thous channles for legit reason like some of the good mmorpg Games that we have on the net.
    and other websit that provide you with music use the IRC world so doing that is only gonna cut people nose off
    angle7575@...
    Reply Vote
CNET Join | Log In | Privacy | Cookies Close