Liked that one, my favourite which I've now lost, was a little VB app that mirrored the windows explorer window and had a pop-up asking if you wanted to delete the contents of the C:\ drive, regardless of user action it then showed a video of the drive being deleted before turning the screen blank

A long 10seconds later it slowly typed "Thank God I'm just joking..."

Managed to get the school admins with that several times in my yoof

Sorry for responding to my own post.

as if by fate I have just received an email informing me that there is a new update for the cyber-ta's bothunter package (www.cyber-ta.org/BotHunter). I havent' had a chance to get this app through the change control process at work to give it a run through, but from reading the site I definitely want to. If anyone has any real-world experience of the tool can you let me know if it lives up to the hype?

Rance,

nicely done my friend

shawal,

the story that started my interest in botnet tracking was written by Steve Gibson of GRC.com. Basically it was a write-up of his investigations into a real life DDoS attack experienced by his company. Included the likes of detailed explanation of the attack experienced to writing a custom IRC bot to snoop on the attackers botnet command and control structure.

I've spent all afternoon trying to find a link to the story but everything I find points to a 404 error on the GRC site so it looks like it has been taken down for some reason. If you have as much luck as I did finding it PM me as I may have a saved copy on one of my works machines.

One of the botnet investigations I have undertaken myself was a an irc bot I cleaned from a client's server. Unfortunately I was unable to take the investigation as far as I would have liked as the c&c deactivated before it could be infiltrated. From packet traces obtained during the incident it appeared the bot was part of a spam sending network And wasn't very subtle, at random times of the day it would max out the server's 100Mb connection, made finding the issue childs play.

An aspect of the bot that I found rather amusing after pulling it's code apart is that it seemed to be programmed to throw random insults to the commandline. I am now the proud owner of a rather large file containing little more than insults about 'yo' mamma'

In response to your question about people getting away with murder, from experience in situations like this is can be very difficult, if not impossible, to find the true 'botmaster'. Often the best you can do is clean-up, inform any parties that have been involved in the investigation and try to prevent a similar intrusion next time. Regularly, the only machines/IPs/people that you can identify are just regular users like yourself, all blissfully unaware or trying to deal with the same issue.

I recently attended a seminar on forensic investigations where one of the talks was given by a member of a police 'cyber-crime' department. Before the talk I believed that the police force would largely ignore these types of activities but was impressed by the level of interest and available resources. I now intend to pass all findings of future investigation to the relevant authorities, something that was actively encouraged during the event.

If you intend to delve deeper into these areas I would highly recomment both the SANs Readin Room and archived webcasts, as well as the Honeynet project. A good starting point in incident response basics is "Dead Linux Machines do tell tales" (http://www.sans.org/reading_room/whitepapers/honors/1491.php)

Hope this rather long rant is of some interest/use, and happy hunting

cheers dean,

as if I wasn't already paranoid enough about hospitals...........

vote for noscript seconded.

I'll have to keep the exceptions tip in mind for some 'specialist' uses (namely some possible office pranks ) cheers iSmtih

The worrying part is that he's probable right, offer a risk free target and I'm guessing most people will take a shot. If nothing else would create a lot of 'cover' for the 'professionals' to hide in.

Despite Pseud0's quote being among the best, I'd still recommend reading the whole interview for anyone who originally missed it on /.

Damn! wish I could afford that.....

Not wanting to feed the troll but, EmanoN:

thanks for link, ChrisG has some nice instructions in that post. Cheers Chris
(Or were you trying to make a point?)

Jonah_15,

welcom and congratulations, not a bad way to make an entrance

Depends on your interpretation. I read a story (Think it was on El Reg but can't find a link, I'll share if I can find it again) about a cafe that had a publicly available AP for its clients. As the story goes a road warrior who was a semi regular customer was running late for a meeting and couldn't remember the clients addressed. Parked (in a legally provided bay) outside the cafe to check his emails and was promptly 'escorted' to the local police station for 'hacking' releated offenses.

I'm not going to wade in on the legal/ethical issues as I'm yet to completely make my mind up, I end up agreeing with each argument. However this story should be a fairly stark warning. If you don't have explicit, preferably written, permission then it might be wise to go elsewhere or wait until your back to your own network.

Nice link, think I'll be spending a bit of time studying that. Can't explain why as I've never had enough time to investigate to deeply but botnets and associated 'naughtiness' has always peeked my interest.

Don/Chris,

thanks for the replies. As I said I'm yet to sit any security related cert, but I had been put off of the C|EH by a number of people/posts/forums complaining about this requirement with the C|EH. If, as you say, most of this relates to basic, every day tool usage I'll worry less about this aspect of the cert and give it some extra consideration.

Thanks again.

tntcoda,

welcome to EH-net,

This topic strikes close to home so I thought I'd provide you with my experience as it seems I'm running roughly 1 year ahead of you.

I graduated from a UK uni with a 1st class honours in computing. Like you I've always had an interest in security. Nearly been working in my current place for three years (one year placement, one year whilst completing final year and one year after graduating). Don's advice rings true, keep doing whatever your day job is and jump on any opportunity to work on a security related project.

I've mostly completed my usual tasks whilst focusing on the security aspects like tightening ACLs/firewall rules, hardening servers etc. I've also been fortunate (or unfortunate depending on your view point) in that I've handled a couple of real-world incidents. Nothing makes the management types look at you differently than when the senior guys start panicking and the new-comer whips out a backtrack/helix CD and deals with the situation calmly

Basically, I'd echo Don's advice, get in where you can and push the security aspects where possible. If you company has any standards certifications (ISO 9001, 27001 etc.) this can be a good place to start by offering to do the security audits (that most people don't enjoy doing). If your place has a security department you can push for a transfer once you've 'proven' yourself, if you place doesn't have a security department then you amy become that department

In terms of pay, I can't speak for the whole UK industry as I don't have that much experience, but from my experience security type people are being paid more than programmers at the moment. (But security is a hot topic in the UK currently so this could be a blip).

Good luck with your final exams

Don,

as someone still looking to take their first security related course the obvious question I'd like asked would be 'why C|EH?'.

For a more specific question I would like to know the reasoning behind requiring such a complete knowledge of specific tools commandline switches that seems to be part of the C|EH examination process. Especially when most requirements can be formulated with a knowledge of what you a trying to achieve and a few minutes with the man pages (RTFM?) in real world situations.

Just my 2cents/pence/<insert currency here>