Yes thanks for the tip about using a search engine. I have heard of such things and I will look into it.  It is always amazing to me how short sited some people can be that claim to be involved in security. The question is not whether a single poster is ethical or not. Just in case some of you haven’t noticed, there are thousands of page views every month on this forum. Most are anonymous. Well, I might be crazy but I would be willing to bet a few might be a little less than “ethical”.  But that doesn’t seem to bother some who in their zeal to show off to the community their vast knowledge can’t resist pontificating.

Even if the knowledge is available out on the net by using search engines, (I heard of one that was good, I think its called doogle or something like that) why make it easier than it needs to be?  Sure you might only slow them down an hour or a day, but at least you know you didn’t contribute to the problem. You would think that would appeal to your ethical sensibilities.  Yeah, you can find all the info you need to build a nuclear bomb on the net but I am not going to post links to anyone that asks me just to show off my superior knowledge. 

The reality is real high level security pros, ( and they are the only ones that should be playing around with botnets and undetectable Trojans)  DON’T need to come to a site like this for instruction on how to build such things anyway!  Its always interesting to us that walk on both sides of the hat, to see how readily the so called white hat community gives up exploits, etc…to anyone. The white hat community is making the back hats just damn lazy!  There are 2 reasons for this. One is for possible profit and the other is for ego and are trying to impress others without regards to repercussions. They can always claim they are white hats doing it for the good of all, when in reality they have more selfish motivations.  Ironically if you go to a black hat site asking similar questions you get flamed or told just “google it”. 

i'm going to disagree.  first, the impact of a botnet and a nuke can hardly be compared, not even going into the level of skill one requires over the other.  second, helping someone google for public information about a subject is hardly contributing to a problem or stoking ego IMO.  if we are really concerned about proudindian's ethics then we should mentor and be a positive role mode to him in the forum and help him do the right thing with the information.  third, and no offense to proudindian, if he came here looking for help with with botnets i doubt he'll be standing up the next russian business network any time soon.  there isnt too much in the way of 0day dropping in here.


then how does one become a high level security pro if no one will give them the information or they cant get help from anyone?  besides, getting a good handle on botnets is probably a way to land a decent job right and potentially could put  you on a path to be one of those "real high level security pros"


someone walking both sides of the hat is probably not the one to be judging anyone's ethics or motives and that 2nd part is just plain wrong, all whitehats do is mooch off the blackhat's work --isnt that what all your blackhat sites say?

Welcome to the community you are more then welcome here i hope you understand the argument here was not really about you. Really this thread just showed that everyone here takes security seriously and that is a good
thing.This is a wonderful sit and forums and is becoming a great learning tool for myself and i am sure for others.

Thats a great idea Sedated but I am not sure how you would actually pull it off. I belonged to another security site that attempted to do that and it didnt work out. The only people that posted sensitive data in the secure site was those that didnt like full disclosure while everyone else just went on as business as usual, posting whatever they wanted to. This ended up being a lot of work for the admin because he had to constantly police the site and determine what to delete or lock,etc. In turn some people would complain that they felt their posts should not have been locked and the entire feeling of the forum felt like some government controlled site, so the admin was constantly 
putting out fires,etc..
Perhaps we should start a new thread concerning full disclosure and get a general feeling from the posters here how they feel?   

NO way to divide community,just clean the mess thats why,i think its very important to lock all posts and only registered users will be able to see it and can reply,no1 else, and there  sholud be a complain or maintainance thread for this community,Its indeeded important,allthough its all depends on Mr.Don,but make sure the community's standared and topic standered will never gt down,Its a very precious community for we people.

I try to be as hands off as possible and also leave the community open for discussion. Most of the time I try to faciltate conversations and then let them have a life of their own. If it gets nasty or people blatantly ask for help for illegal purposes, then I'll lock the thread. This one has gotten no where near either. As most of you will notice, I will still leave the post for viewing so that others will get an idea of what is accepted and what is not.

As for proudindian's suggestions... they are already in place except for being able to see posts. You must be a registered member to post or reply, but EVERYONE can read the posts. That's the way I want it and that will never change. I personally hate forums that hide posts. And for complaints, the "News Items and General Discussion About EH-Net" is exactly for that... general discussion on and about this site.

As for botnets, I would love to see more discussions and details as to how this is carried out. I would love any thread that gets into the technical details of a security related topic. This and many others are legitimate areas of study and research. I think it would cross the line if we started talking about how to take advantage of a botnet for monetary gain, or the resources for getting in touch with those willing to purchase the services of a botnet herder. But the study of how it works from a technical standpoint seems fine to me.

Hope this adds value to this conversation,
Don

It's easier to just masquerade as a bot than trying to modify the bots code.
The below info will work for some of the older IRC based botnets:

wget a copy of the bot (follow the spam ) and run it in a VM (note that more and more bots are including VM detection) or a computer set up for this purpose.

Run the bot and capture all the traffic using wireshark. Look for IP and domain  info, IRC commands like the NICK, PRIVMSG, JOIN etc... commands: Bots often use a naming convention that describes the computer/country/etc... Eg: GB|W2K|12365. Look for channel passwords and channels. Look for the commands issued by the channel to the bot (.keylog, .passwd, .login, etc...) Look at what is displayed in the channel. Make notes of all of this.

Connect to the bot through Tor and use this information to masquerade as a bot in the channel. Gather all the info you can, NICKS/IPs, etc.. this may be of the owner.

Check out sandboxes (norman, osiris) and malware honeypots (mwcollect, nepenthes) and use then to help in reversing the malware.

Also, rather than connecting to the botserver or running the malware in that manner you can set up your own IRC server, modify the hosts file to point the IRC server to your IP and when the  bot connects to your IRC server, try and interact with it to see what it's capabilities are.  Unpack the malware (if you have a copy) and pull all the strings from the bot. These will often contain servers, commands and more about the bot and it's functionality and you can use this to communicate with the bot.

Check out shadowserver.org and disog.org for good information on bots and tracking botnets.

While there are still a lot of IRC based botnets with single command and control servers, they are becoming more sophisticated and are using other protocols to communicate and function. The malware itself is now more 'intelligent', detecting VMs, etc...

Also, if you do decide to attempt to track down botherders, be careful as if you show too much interest in a specific botnet you're likely to be DoS'ed by the owner .The Stormworm's owners often use this tactic to discourage researchers.

dean

you're never untraceable, but whoever is tracing you will have to get to the box that you connected to from home to really track you down.