CastleCops® - BRAT: Botnet Reporting And Termination

Need help? Click here to register for free! Absolutely zero advertisements on this site!

**$9736.22 of $21422.68**

Help CastleCops serve the community on new servers, Donate Here to reach our goal.

	Donation/Premium

	Donations. Become Premium Today!

	Security Central

	· Home · PIRT/Fried Phish · MIRT · SIRT · Deutsch · Wiki · Newsletter · O16/ActiveX · CLSID List · Contest2007 · Downloads · Feedback (send) · Forums · HijackThis · Hijacktrend · LSPs · My Downloads · O18 · O20 · O21 · O22 · O23 · O9 · Premium · Private Messages · Proxomitron · Reviews · Search · StartupList · Stories Archive · Submit News · WsIRT · Your Account · Acceptable Use Policy

Survey

Strategies: BRAT: Botnet Reporting And Termination

Cyber Security

tembow writes "Botnets are the flavor of the year. As a means of performing DDoS attacks, as a spam sending engine, as a mailing list generator, hijacked proxy name server, web server - there is amazing versatility in bots in the wild today. 2007 has been the year of their proliferation.

Many educational and research facilities are studying, classifying and analyzing the phenomenon. But there are few who are actually involved in terminating them.

Castlecops has a proud history of going that extra step. With PIRT, MIRT, SIRT and WsIRT the emphasis has been on Termination. Botnets deserve the same emphasis.

One element of botnets that is very easy to track is the use of hijacked machines as web servers and name servers. With such elementary tools as Dig and Whois anyone can track the IP addresses of botnets. By logging the addresses as they appear, and reporting them to the address owners, you can make a dent in the numbers. The numbers are daunting, some say there are millions of bots. But with consistent reporting, gradually the bots can be cleaned up and the numbers reduced.

That is where the BRAT project comes in - Botnet Reporting and Termination! Inspired by the Castlecops mentality, since October 1 2007, IP addresses for 9 high end botnets have been tracked and reported to their ISPs using this simple methodology. Over that same period, the number of bots in the wild as measured by ShadowServer has dropped from 180,000 to 100,000.

The project is described in more detail at the European Spam Wiki
We have not seen the eradication of the botnets, but we are seeing a serious dent in the numbers. "

Posted on Sunday, 11 November 2007 @ 02:01:08 UTC by Paul (1155 reads)
[ Trackback ]

"Strategies: BRAT: Botnet Reporting And Termination" | Login/Create an Account | 2 comments | Search

The comments are owned by the poster. We aren't responsible for their content.

No Comments Allowed for Anonymous, please register

Re: BRAT: Botnet Reporting And Termination (Score: 1)
by johnlgalt (Johnny B Goode!) on Tuesday, 13 November 2007 @ 22:06:56 UTC
(User Info | Send a Message) http://www.geocities.com/john-galt

My Cable Modem Router has been getting hammered since the middle of September (or possibly before) and up to this point I have just verified every now and again that the logs have been showing that the IP was blocked. However, with this new tool, I might be able to help out a lot more.

In an earlier install of Vista, I had downloaded a free syslog listening software, and then set my router up to forward the sys log entries to my computer - but in a matter of minute the thing would be literally full of entries. My router only holds the last 200 entries, and so everything I had before is gone.

I tried running back traces on several IPs before and always ended up with them belonging to some ISP, and never knew what to do with them after that - this is a great idea.

I'd love to start my monitoring back up, but the methodology mentioned in the wiki is over my head (or, I should say, I am a bit clueless as to how I should implement some of the steps to gather effective data).

Any help would be appreciated.

I tried to talk to tier 2 technical service reps at my ISP to ask them to manually force an IP change for my system , to see if something somewhere eon my network is actually initiating this attack (and thus, making my computers a part of a larger Botnet as well) but they would not do it, and so I am stuck with the same public IP as when I first discovered this issue.

Re: BRAT: Botnet Reporting And Termination (Score: 1)
by moike on Wednesday, 14 November 2007 @ 04:26:16 UTC
(User Info | Send a Message)

It is great to see such a program taking shape. The natural way to fight a botnet is to take out the C&C and quickly eliminate the problem, but this has only produced a Storm-style protected peer-to-peer C&C. As Vix theorizes here: http://fm.vix.com/internet/security/superbugs.html, fighting the head only teaches the botnet how to survive. There are many benefits to actually cleaning up the end users' systems. Perhaps ISPs can accept bulk reports and be encouraged to automate their handling of infected customers as much as possible, once they have this information available. It may seem to be tilting at windmills at first, but in the end will prove to be the correct approach.

	Login

	Nickname Password Security Code: Type Security Code: Usage signifies AUP acceptance · New User? · Click here to create a registered account.

	Related Links

	· del.icio.us! · digg it! · reddit! · TrackBack (0) · PHP HomePage · HotScripts · W3 Consortium · Spam Cop · More about Cyber Security · News by Paul Most read story about Cyber Security: Booby Trapped software!

	Article Rating

	Average Score: 5 Votes: 2 Please take a second and vote for this article:

	Options

	Printer Friendly Page


	2002-2008 � Computer Cops LLC dba CastleCops®. All rights reserved. Acceptable Use Policy. Use signifies your agreement. 167ppm 0.247s (0.023s) Making cybercriminals unhappy since 2002*