What are the risks of logging into a botnet control channel?

What are the risks of logging into a botnet control channel?

While analyzing a bot-infected machine, I noticed that the botnet controller was being accessed. What are the issues associated with logging into the botnet control channel? Should I avoid doing that?

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

Be very careful here! While a few botnet specimens are using encrypted peer-to-peer communication technologies, which make them more resistant to monitoring and shutdown attempts, many of today's botnets still rely on a centralized command-and-control structure, often based on Internet Relay Chat (IRC). By sniffing the traffic as an infected machine logs into the botnet, you can watch what the system is up to and potentially see the attacker's commands. Sometimes, an investigator even stumbles upon the user ID and password for controlling -- not just accessing -- the botnet and can then steal the keys to the attacker's castle.

Using that information to interact with the botnet, however, is dangerous. Suppose that you, with the purest of intentions, log into the botnet control channel and issue a command to shut the botnet down or delete the bots. You might inadvertently delete some really important corporate data, or disable a critical server, causing significant financial damage. The large organization that you just affected might turn around and sue you, not the original botnet owner. The attacker might have set up a booby trap so that the botnet goes ballistic if someone else tries to control it. Inadvertently, your actions might cause massive harm.

Beyond that, there is the possibility of retribution. Even if you don't cause damage to the infected machines, there is the not-so-small matter of breaking the bad guy's botnet. The attacker may take this pain out on you by launching a massive flood. One should not trifle with people who manipulate hundreds of thousands of machines and make serious money based on their control.

That said, there is some interesting research being conducted by individuals looking into the actions of large-scale botnets and their operators. I'm not suggesting that such research should be avoided altogether. I am, however, emphasizing that such investigations are not for the faint of heart, must be carried out carefully and could result in some serious negative repercussions. Make sure you consider these issues. For most security people working in most enterprises, such risks aren't worth it.

More information:

  • Ed Skoudis explains if it's possible to detect peer-to-peer (P2P) botnets.
  • Learn how attackers can use the Storm worm to strengthen their botnets.

    • This was first published in September 2007