[svlug] SPAM: 5.8: efficient bot detection

Wed Jul 18 00:50:47 PDT 2007

On 7/17/07, Rodney Crater <rodneycrater at hotmail.com> wrote:
>  I ask you this question because I am aware of the tremendous amount of
> expertise individuals have on this list. What would be your recommendation

The indicator of a bot is (of course) frequent messages sent that are
spam, and frequent connections to IRC/telnet.  Rather than dismantle
bot by bot, I'd suggest looking for services which trace the bot's
command servers so that you can take down the owner of the whole
botnet.  Anything else is entirely impractical because there will
still be a villain out there to improve his botware and infect the net
all over again.

> for the most efficient bot detection and removal tool for either or both
> linux based machines and MS based machines? I see a flurry of loud speaking

The difference between the two platforms is great, and so it the
difference in detection.  In Windows, the signs are obviously the
traffic coming out of the machine.  In Linux, where the usual role of
the machine is a server, you need to perform security audits and check
the running processes for anachronisms.  This requires cooperation
with the server's owner.  I'd only do that if that machine is
referenced by the traffic intercepted from the various Windows bots
you're monitoring.

> or loud writing individuals and commercial establishments boasting of their
> products but the noise is so loud it is difficult to establish the truth
> unless one asks those who have the best expertise.

The truth is that any "automated" solution to destroying botnets
remotely is inherently illegal.  I looked into this prospect myself a
while back when entertaining the idea of an "active defense" system
for servers based of a computer security research project known as
SPIKE.  The problem is that even by rewarding bad behavior from other
peers on the network (either if they're trying to hack you, or if
you're obviously sending out loads of spam) it's inherently illegal to
hit back without notifying the owner of the machine.  So, of course,
bot nets themselves are disgustingly illegal, however, there's nothing
you can really do about it ('cause you're the good guy and they're the
bad guy and they'll always have those impossibly frustrating
advantages over you).

The best way is to have a savvy hacker who knows what he's doing and
what the limitations of the law are, as well as the
police/NSA/CIA/whoever-you-can-call-for-authority on speed-dial.

Laws may have changed from where I last saw them, however, that's what
I remember from when I was last at that problem.  The best I think we
all can do is to keep our own machines clean and be good about keeping
the computers of our friends clean, as well as helping to educate
others in the art of how to keep a machine safe (usually as easy as
installing Windows Defender, not using insecure things like
Hotmail/Outlook, and always approach any file with healthy
skepticism.)