Home > Ask the Security Experts > Expert Archive: Information Security Threats Questions & Answers > What are the risks of logging into a botnet control channel?
Ask The Security Expert: Questions & Answers
EMAIL THIS

What are the risks of logging into a botnet control channel?

Ed Skoudis, past SearchSecurity.com expert EXPERT RESPONSE FROM: Ed Skoudis, past SearchSecurity.com expert

Pose a Question
Other Security Categories
Meet all Security Experts
Become an Expert for this site


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


>
QUESTION POSED ON: 24 July 2007
While analyzing a bot-infected machine, I noticed that the botnet controller was being accessed. What are the issues associated with logging into the botnet control channel? Should I avoid doing that?

>
Be very careful here! While a few botnet specimens are using encrypted peer-to-peer communication technologies, which make them more resistant to monitoring and shutdown attempts, many of today's botnets still rely on a centralized command-and-control structure, often based on Internet Relay Chat (IRC). By sniffing the traffic as an infected machine logs into the botnet, you can watch what the system is up to and potentially see the attacker's commands. Sometimes, an investigator even stumbles upon the user ID and password for controlling -- not just accessing -- the botnet and can then steal the keys to the attacker's castle.

Using that information to interact with the botnet, however, is dangerous. Suppose that you, with the purest of intentions, log into the botnet control channel and issue a command to shut the botnet down or delete the bots. You might inadvertently delete some really important corporate data, or disable a critical server, causing significant financial damage. The large organization that you just affected might turn around and sue you, not the original botnet owner. The attacker might have set up a booby trap so that the botnet goes ballistic if someone else tries to control it. Inadvertently, your actions might cause massive harm.

Beyond that, there is the possibility of retribution. Even if you don't cause damage to the infected machines, there is the not-so-small matter of breaking the bad guy's botnet. The attacker may take this pain out on you by launching a massive flood. One should not trifle with people who manipulate hundreds of thousands of machines and make serious money based on their control.

That said, there is some interesting research being conducted by individuals looking into the actions of large-scale botnets and their operators. I'm not suggesting that such research should be avoided altogether. I am, however, emphasizing that such investigations are not for the faint of heart, must be carried out carefully and could result in some serious negative repercussions. Make sure you consider these issues. For most security people working in most enterprises, such risks aren't worth it.

More information:

  • Ed Skoudis explains if it's possible to detect peer-to-peer (P2P) botnets.
  • Learn how attackers can use the Storm worm to strengthen their botnets.


    • BROWSE BY TAG
    Malware, Viruses, Trojans and Spyware,   Expert Archive: Information Security Threats,   Hacker Tools and Techniques: Underground Sites and Hacking Groups,   VIEW ALL TAGS

    Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   



    RELATED CONTENT
    Malware, Viruses, Trojans and Spyware
    iPhone worm Rickrolls jailbroken phones
    Israeli Mossad add Trojan Horse to Syrian laptop
    Schneier-Ranum Face-Off: Is antivirus dead?
    Modern malware, stealthy botnets, adapt quickly, expert says
    Computer worm infections up, scareware antivirus down, Microsoft says
    Web-based attacks skyrocket, pirating sites surge, security firms say
    Mini guide: How to remove and prevent Trojans, malware and spyware
    Kaspersky system analyzes malicious URLs on Twitter for malware
    Silon malware intercepts Internet Explorer sessions, steals credentials
    Breach forces payroll service provider PayChoice to shut down again

    Expert Archive: Information Security Threats
    The telltale signs of a network attack
    Will Google Chrome enhance overall browser security?
    Are there antivirus suites that pick up more than just run-of-the-mill viruses?
    What tools can a hacker use to crack a laptop password?
    Are social networking sites an easy target for malicious hackers?
    What are the dangers of cross-site request forgery attacks (CSRF)?
    Should social engineering tests be included in penetration testing?
    What kind of data is compromised during a Google hack?
    Best practices for using restriction policy whitelists
    Defining mobile device security concerns

    Hacker Tools and Techniques: Underground Sites and Hacking Groups
    Metasploit Project acquisition ups ante for penetration testing market
    Successful rogue antivirus hinges on social engineering
    DEFCON survey suggests hacker community on vacation
    DoD urges less network anonymity, more PKI use
    New hacker skills optimize revenue
    Maturing cybercriminal economy buoyed by business savvy hackers
    Juniper pulls ATM hacking presentation from Black Hat
    Botnet platform helps cybercriminals bid for zombie PCs
    Man pleads guilty in online banking hacking scam
    ATM malware lets attackers take over machines

    RELATED GLOSSARY TERMS
    Terms from Whatis.com − the technology online dictionary
    bot worm  (SearchSecurity.com)
    directory traversal  (SearchSecurity.com)
    government Trojan  (SearchSecurity.com)
    Kraken  (SearchSecurity.com)
    man in the browser  (SearchSecurity.com)
    polymorphic malware  (SearchSecurity.com)
    RAT (remote access Trojan)  (SearchSecurity.com)
    RavMonE virus  (SearchSecurity.com)
    RFID virus  (SearchSecurity.com)
    Rock Phish  (SearchSecurity.com)

    RELATED RESOURCES
    2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
    Search Bitpipe.com for the latest white papers and business webcasts
    Whatis.com, the online computer dictionary



    Search and Browse the Expert Answer Center
    Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.
    Browse our Expert Advice



    Find Security Solutions for Your Business
    TechTarget Security Media
    Information Security View this month\\'s issue and subscribe today.
    Information Security Decisions Apply online for free conference admission.
    		SearchSecurity.com
    HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us
    SEARCH :     Site Index Powered by: Search Powered by Google

    About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
    TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

    TechTarget Corporate Web Site  |  Media Kits  |  Site Map




    All Rights Reserved, Copyright 2003 - 2009, TechTarget | Read our Privacy Policy     		  TechTarget - The IT Media ROI Experts